webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
43
1
""id""
4
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
42
2
getParameter
1
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
17
3
id
2
81
var id = request.getParameter("id");
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
85
57
1
newUser
7
85
public WebGoatUser addUser(@RequestBody WebGoatUser newUser) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
87
33
2
newUser
7
87
userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole());
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
87
55
3
newUser
7
87
userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole());
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
87
77
4
newUser
7
87
userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole());
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
88
51
5
newUser
7
88
return userService.loadUserByUsername(newUser.getUsername());
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
88
70
6
getUsername
1
88
return userService.loadUserByUsername(newUser.getUsername());
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
88
50
7
loadUserByUsername
1
88
return userService.loadUserByUsername(newUser.getUsername());
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
59
56
1
userId
6
59
public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
71
61
2
userId
6
71
userSessionData.setValue("account-verified-id", userId);
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
71
37
3
setValue
1
71
userSessionData.setValue("account-verified-id", userId);
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
72
27
4
success
1
72
return success(this)
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
73
30
5
feedback
1
73
.feedback("verify-account.success")
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
74
27
6
build
1
74
.build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
51
52
1
username_login
14
51
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
56
73
2
username_login
14
56
return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
56
72
3
feedbackArgs
1
56
return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
56
94
4
build
1
56
return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
59
68
1
email
5
59
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
73
66
2
email
5
73
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
73
65
3
feedbackArgs
1
73
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
73
78
4
build
1
73
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
59
68
1
email
5
59
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
73
66
2
email
5
73
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
73
65
3
feedbackArgs
1
73
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
73
78
4
build
1
73
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
45
84
1
field1
6
45
@RequestParam Integer QTY4, @RequestParam String field1,
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
57
57
2
field1
6
57
cart.append("<p>We have charged credit card:" + field1 + "<br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
57
20
3
append
1
57
cart.append("<p>We have charged credit card:" + field1 + "<br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
58
9
4
cart
4
58
cart.append(" ------------------- <br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
59
9
5
cart
4
59
cart.append(" $" + totalSale);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
70
90
6
cart
4
70
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
70
103
7
toString
1
70
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
70
89
8
output
1
70
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
70
112
9
build
1
70
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
45
84
1
field1
6
45
@RequestParam Integer QTY4, @RequestParam String field1,
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
57
57
2
field1
6
57
cart.append("<p>We have charged credit card:" + field1 + "<br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
57
20
3
append
1
57
cart.append("<p>We have charged credit card:" + field1 + "<br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
58
9
4
cart
4
58
cart.append(" ------------------- <br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
59
9
5
cart
4
59
cart.append(" $" + totalSale);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
72
88
6
cart
4
72
return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
72
101
7
toString
1
72
return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
72
87
8
output
1
72
return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
72
110
9
build
1
72
return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
45
84
1
field1
6
45
@RequestParam Integer QTY4, @RequestParam String field1,
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
57
57
2
field1
6
57
cart.append("<p>We have charged credit card:" + field1 + "<br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
57
20
3
append
1
57
cart.append("<p>We have charged credit card:" + field1 + "<br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
58
9
4
cart
4
58
cart.append(" ------------------- <br />");
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
59
9
5
cart
4
59
cart.append(" $" + totalSale);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
78
29
6
cart
4
78
.output(cart.toString())
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
78
42
7
toString
1
78
.output(cart.toString())
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
78
28
8
output
1
78
.output(cart.toString())
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
79
27
9
build
1
79
.build();
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
80
62
1
commentStr
10
80
public AttackResult createNewComment(@RequestBody String commentStr) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
81
37
2
commentStr
10
81
Comment comment = parseJson(commentStr);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
97
38
3
comment
7
97
private Comment parseJson(String comment) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
100
37
4
comment
7
100
return mapper.readValue(comment, Comment.class);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
100
36
5
readValue
1
100
return mapper.readValue(comment, Comment.class);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
81
36
6
parseJson
1
81
Comment comment = parseJson(commentStr);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
81
17
7
comment
7
81
Comment comment = parseJson(commentStr);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
87
21
8
add
1
87
comments.add(comment);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
88
52
9
comments
8
88
userComments.put(webSession.getUserName(), comments);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
88
25
10
put
1
88
userComments.put(webSession.getUserName(), comments);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
93
27
11
failed
1
93
return (failed(this).feedback("xss-stored-comment-failure").build());
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
93
42
12
feedback
1
93
return (failed(this).feedback("xss-stored-comment-failure").build());
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
93
78
13
build
1
93
return (failed(this).feedback("xss-stored-comment-failure").build());
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
80
62
1
commentStr
10
80
public AttackResult createNewComment(@RequestBody String commentStr) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
81
37
2
commentStr
10
81
Comment comment = parseJson(commentStr);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
97
38
3
comment
7
97
private Comment parseJson(String comment) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
100
37
4
comment
7
100
return mapper.readValue(comment, Comment.class);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
100
36
5
readValue
1
100
return mapper.readValue(comment, Comment.class);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
81
36
6
parseJson
1
81
Comment comment = parseJson(commentStr);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
81
17
7
comment
7
81
Comment comment = parseJson(commentStr);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
87
21
8
add
1
87
comments.add(comment);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
88
52
9
comments
8
88
userComments.put(webSession.getUserName(), comments);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
88
25
10
put
1
88
userComments.put(webSession.getUserName(), comments);
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
91
28
11
success
1
91
return (success(this).feedback("xss-stored-comment-success").build());
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
91
43
12
feedback
1
91
return (success(this).feedback("xss-stored-comment-success").build());
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
91
79
13
build
1
91
return (success(this).feedback("xss-stored-comment-success").build());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
48
51
1
request
7
48
public String getBasicAuth(HttpServletRequest request) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
50
31
2
request
7
50
String basicAuth = (String) request.getSession().getAttribute("basicAuth");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
50
49
3
getSession
1
50
String basicAuth = (String) request.getSession().getAttribute("basicAuth");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
50
64
4
getAttribute
1
50
String basicAuth = (String) request.getSession().getAttribute("basicAuth");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
50
10
5
basicAuth
9
50
String basicAuth = (String) request.getSession().getAttribute("basicAuth");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
57
41
6
basicAuth
9
57
return "Authorization: Basic ".concat(basicAuth);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
57
40
7
concat
1
57
return "Authorization: Basic ".concat(basicAuth);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
50
45
1
request
7
50
public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
52
29
2
request
7
52
String md5Hash = (String) request.getSession().getAttribute("md5Hash");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
52
47
3
getSession
1
52
String md5Hash = (String) request.getSession().getAttribute("md5Hash");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
52
62
4
getAttribute
1
52
String md5Hash = (String) request.getSession().getAttribute("md5Hash");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
52
10
5
md5Hash
7
52
String md5Hash = (String) request.getSession().getAttribute("md5Hash");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
65
10
6
md5Hash
7
65
return md5Hash;
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
70
48
1
request
7
70
public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
72
28
2
request
7
72
String sha256 = (String) request.getSession().getAttribute("sha256");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
72
46
3
getSession
1
72
String sha256 = (String) request.getSession().getAttribute("sha256");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
72
61
4
getAttribute
1
72
String sha256 = (String) request.getSession().getAttribute("sha256");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
72
10
5
sha256
6
72
String sha256 = (String) request.getSession().getAttribute("sha256");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
79
10
6
sha256
6
79
return sha256;
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
52
52
1
request
7
52
public String getPrivateKey(HttpServletRequest request) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
54
32
2
request
7
54
String privateKey = (String) request.getSession().getAttribute("privateKeyString");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
54
50
3
getSession
1
54
String privateKey = (String) request.getSession().getAttribute("privateKeyString");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
54
65
4
getAttribute
1
54
String privateKey = (String) request.getSession().getAttribute("privateKeyString");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
54
10
5
privateKey
10
54
String privateKey = (String) request.getSession().getAttribute("privateKeyString");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
61
10
6
privateKey
10
61
return privateKey;
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
50
54
1
request
7
50
public AttackResult completed(HttpServletRequest request) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
51
27
2
request
7
51
String userName = request.getUserPrincipal().getName();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
51
51
3
getUserPrincipal
1
51
String userName = request.getUserPrincipal().getName();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
51
61
4
getName
1
51
String userName = request.getUserPrincipal().getName();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
51
16
5
userName
8
51
String userName = request.getUserPrincipal().getName();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
52
13
6
userName
8
52
if (userName.startsWith("csrf")) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
56
72
7
userName
8
56
return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
56
71
8
feedbackArgs
1
56
return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
56
87
9
build
1
56
return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
78
48
1
reviewText
10
78
public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
84
24
2
reviewText
10
84
review.setText(reviewText);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
84
23
3
setText
1
84
review.setText(reviewText);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
85
9
4
review
6
85
review.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
86
9
5
review
6
86
review.setUser(webSession.getUserName());
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
87
9
6
review
6
87
review.setStars(stars);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
89
21
7
review
6
89
reviews.add(review);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
89
20
8
add
1
89
reviews.add(review);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
90
51
9
reviews
7
90
userReviews.put(webSession.getUserName(), reviews);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
90
24
10
put
1
90
userReviews.put(webSession.getUserName(), reviews);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
97
26
11
failed
1
97
return failed(this).feedback("csrf-same-host").build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
97
41
12
feedback
1
97
return failed(this).feedback("csrf-same-host").build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
97
65
13
build
1
97
return failed(this).feedback("csrf-same-host").build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
78
48
1
reviewText
10
78
public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
84
24
2
reviewText
10
84
review.setText(reviewText);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
84
23
3
setText
1
84
review.setText(reviewText);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
85
9
4
review
6
85
review.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
86
9
5
review
6
86
review.setUser(webSession.getUserName());
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
87
9
6
review
6
87
review.setStars(stars);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
89
21
7
review
6
89
reviews.add(review);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
89
20
8
add
1
89
reviews.add(review);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
90
51
9
reviews
7
90
userReviews.put(webSession.getUserName(), reviews);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
90
24
10
put
1
90
userReviews.put(webSession.getUserName(), reviews);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
93
26
11
failed
1
93
return failed(this).feedback("csrf-you-forgot-something").build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
93
41
12
feedback
1
93
return failed(this).feedback("csrf-you-forgot-something").build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
93
76
13
build
1
93
return failed(this).feedback("csrf-you-forgot-something").build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
78
48
1
reviewText
10
78
public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
84
24
2
reviewText
10
84
review.setText(reviewText);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
84
23
3
setText
1
84
review.setText(reviewText);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
85
9
4
review
6
85
review.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
86
9
5
review
6
86
review.setUser(webSession.getUserName());
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
87
9
6
review
6
87
review.setStars(stars);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
89
21
7
review
6
89
reviews.add(review);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
89
20
8
add
1
89
reviews.add(review);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
90
51
9
reviews
7
90
userReviews.put(webSession.getUserName(), reviews);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
90
24
10
put
1
90
userReviews.put(webSession.getUserName(), reviews);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
99
27
11
success
1
99
return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure")
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
99
42
12
feedback
1
99
return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure")
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
99
71
13
build
1
99
return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure")
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
36
56
1
person
6
36
public AttackResult completed(@RequestParam String person) {
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
37
14
2
person
6
37
if (!person.equals("")) {
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
40
48
3
person
6
40
.feedbackArgs(new StringBuffer(person).reverse().toString())
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
40
31
4
StringBuffer
3
40
.feedbackArgs(new StringBuffer(person).reverse().toString())
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
40
63
5
reverse
1
40
.feedbackArgs(new StringBuffer(person).reverse().toString())
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
40
74
6
toString
1
40
.feedbackArgs(new StringBuffer(person).reverse().toString())
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
40
30
7
feedbackArgs
1
40
.feedbackArgs(new StringBuffer(person).reverse().toString())
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
41
23
8
build
1
41
.build();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
132
59
1
jwtToken
8
132
public String decode(@RequestParam("jwtToken") String jwtToken) throws NoSuchAlgorithmException {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
134
49
2
jwtToken
8
134
String encodedHeader = jwtToken.substring(0, jwtToken.indexOf("."));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
134
27
3
jwtToken
8
134
String encodedHeader = jwtToken.substring(0, jwtToken.indexOf("."));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
134
45
4
substring
1
134
String encodedHeader = jwtToken.substring(0, jwtToken.indexOf("."));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
134
11
5
encodedHeader
13
134
String encodedHeader = jwtToken.substring(0, jwtToken.indexOf("."));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
136
59
6
encodedHeader
13
136
String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
136
58
7
decodeToString
1
136
String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
136
11
8
jsonHeader
10
136
String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
32
9
jsonHeader
10
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
50
10
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
175
11
BinaryExpr
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
54
85
1
json
4
54
public ResponseEntity follow(@RequestBody(required = false) Map<String, Object> json) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
58
32
2
json
4
58
String user = (String) json.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
58
40
3
get
1
58
String user = (String) json.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
58
16
4
user
4
58
String user = (String) json.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
62
39
5
user
4
62
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
67
56
6
user
4
67
private Map<String, Object> createNewTokens(String user) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
28
7
user
4
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
19
8
put
1
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
28
9
claims
6
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
27
10
setClaims
1
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
74
26
11
signWith
1
74
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
75
25
12
compact
1
75
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
71
16
13
token
5
71
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
39
14
token
5
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
22
15
put
1
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
80
9
16
tokenJson
9
80
tokenJson.put("refresh_token", refreshToken);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
81
16
17
tokenJson
9
81
return tokenJson;
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
62
38
18
createNewTokens
1
62
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
62
22
19
ok
1
62
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
86
115
1
token
5
86
public ResponseEntity<AttackResult> checkout(@RequestHeader(value = "Authorization", required = false) String token) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
91
71
2
token
5
91
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
91
84
3
replace
1
91
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
91
70
4
parse
1
91
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
91
17
5
jwt
3
91
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
92
38
6
jwt
3
92
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
92
49
7
getBody
1
92
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
92
20
8
claims
6
92
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
93
36
9
claims
6
93
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
93
46
10
get
1
93
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
93
20
11
user
4
93
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
81
12
user
4
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
80
13
feedbackArgs
1
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
92
14
build
1
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
22
15
ok
1
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
107
101
1
token
5
107
public ResponseEntity newToken(@RequestHeader(value = "Authorization", required = false) String token,
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
116
87
2
token
5
116
Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
116
100
3
replace
1
116
Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
116
86
4
parse
1
116
Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
116
33
5
jwt
3
116
Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
29
6
jwt
3
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
40
7
getBody
1
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
46
8
get
1
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
13
9
user
4
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
39
10
user
4
128
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
67
56
11
user
4
67
private Map<String, Object> createNewTokens(String user) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
28
12
user
4
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
19
13
put
1
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
28
14
claims
6
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
27
15
setClaims
1
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
74
26
16
signWith
1
74
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
75
25
17
compact
1
75
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
71
16
18
token
5
71
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
39
19
token
5
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
22
20
put
1
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
80
9
21
tokenJson
9
80
tokenJson.put("refresh_token", refreshToken);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
81
16
22
tokenJson
9
81
return tokenJson;
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
38
23
createNewTokens
1
128
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
22
24
ok
1
128
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
72
52
1
token
5
72
public AttackResult login(@RequestParam String token) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
74
69
2
token
5
74
Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
74
68
3
parse
1
74
Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
74
17
4
jwt
3
74
Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
75
38
5
jwt
3
75
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
75
49
6
getBody
1
75
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
75
20
7
claims
6
75
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
76
18
8
claims
6
76
if (!claims.keySet().containsAll(expectedClaims)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
79
40
9
claims
6
79
String user = (String) claims.get("username");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
79
50
10
get
1
79
String user = (String) claims.get("username");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
79
24
11
user
4
79
String user = (String) claims.get("username");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
84
92
12
user
4
84
return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
84
91
13
feedbackArgs
1
84
return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
84
103
14
build
1
84
return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
55
73
1
json
4
55
public AttackResult passwordReset(@RequestParam Map<String, Object> json) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
56
44
2
json
4
56
String securityQuestion = (String) json.getOrDefault("securityQuestion", "");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
57
36
3
json
4
57
String username = (String) json.getOrDefault("username", "");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
57
53
4
getOrDefault
1
57
String username = (String) json.getOrDefault("username", "");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
57
16
5
username
8
57
String username = (String) json.getOrDefault("username", "");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
59
40
6
username
8
59
if ("webgoat".equalsIgnoreCase(username.toLowerCase())) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
63
41
7
username
8
63
String validAnswer = COLORS.get(username.toLowerCase());
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
65
90
8
username
8
65
return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
65
89
9
feedbackArgs
1
65
return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
65
105
10
build
1
65
return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
59
68
1
email
5
59
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
75
66
2
email
5
75
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
75
65
3
feedbackArgs
1
75
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
75
78
4
build
1
75
return success(this).feedback("email.send").feedbackArgs(email).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
69
56
1
question
8
69
public AttackResult completed(@RequestParam String question) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
72
33
2
question
8
72
triedQuestions.incr(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
37
29
3
question
8
37
public void incr(String question) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
38
31
4
question
8
38
answeredQuestions.add(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
38
30
5
add
1
38
answeredQuestions.add(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
72
13
6
triedQuestions
14
72
triedQuestions.incr(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
73
17
7
triedQuestions
14
73
if (triedQuestions.isComplete()) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
74
31
8
success
1
74
return success(this).output("<b>" + answer + "</b>").build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
74
44
9
output
1
74
return success(this).output("<b>" + answer + "</b>").build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
74
75
10
build
1
74
return success(this).output("<b>" + answer + "</b>").build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
69
56
1
question
8
69
public AttackResult completed(@RequestParam String question) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
72
33
2
question
8
72
triedQuestions.incr(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
37
29
3
question
8
37
public void incr(String question) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
38
31
4
question
8
38
answeredQuestions.add(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
38
30
5
add
1
38
answeredQuestions.add(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
72
13
6
triedQuestions
14
72
triedQuestions.incr(question);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
73
17
7
triedQuestions
14
73
if (triedQuestions.isComplete()) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
77
34
8
informationMessage
1
77
return informationMessage(this)
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
78
26
9
feedback
1
78
.feedback("password-questions-one-successful")
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
79
24
10
output
1
79
.output(answer.orElse("Unknown question, please try again..."))
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
80
23
11
build
1
80
.build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
71
60
1
emailReset
10
71
public AttackResult resetPassword(@RequestParam String emailReset) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
72
35
2
emailReset
10
72
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
72
34
3
ofNullable
1
72
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
72
53
4
orElse
1
72
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
72
16
5
email
5
72
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
73
50
6
email
5
73
return sendEmail(extractUsername(email), email);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
81
60
7
email
5
81
private AttackResult sendEmail(String username, String email) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
95
103
8
email
5
95
return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
95
102
9
feedbackArgs
1
95
return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
95
115
10
build
1
95
return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
73
25
11
sendEmail
1
73
return sendEmail(extractUsername(email), email);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
75
67
1
request
7
75
public ResponseEntity<?> getProfilePicture(HttpServletRequest request) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
76
27
2
request
7
76
var queryParams = request.getQueryString();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
76
49
3
getQueryString
1
76
var queryParams = request.getQueryString();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
76
13
4
queryParams
11
76
var queryParams = request.getQueryString();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
75
67
1
request
7
75
public ResponseEntity<?> getProfilePicture(HttpServletRequest request) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
76
27
2
request
7
76
var queryParams = request.getQueryString();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
22
3
request
7
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
42
4
getParameter
1
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
17
5
id
2
81
var id = request.getParameter("id");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
40
56
1
password
8
40
public AttackResult completed(@RequestParam String password) {
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
44
2
password
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
43
3
measure
1
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
18
4
strength
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
49
94
5
strength
8
49
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
90
6
strength
8
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
107
7
getScore
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
22
8
append
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
52
13
9
output
6
52
output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\"> </div></br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
58
9
10
output
6
58
output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
68
9
11
output
6
68
output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
69
9
12
output
6
69
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
76
13
output
6
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
91
14
toString
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
75
15
output
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
100
16
build
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
40
56
1
password
8
40
public AttackResult completed(@RequestParam String password) {
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
44
2
password
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
43
3
measure
1
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
18
4
strength
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
49
94
5
strength
8
49
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
90
6
strength
8
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
107
7
getScore
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
22
8
append
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
52
13
9
output
6
52
output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\"> </div></br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
58
9
10
output
6
58
output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
68
9
11
output
6
68
output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
69
9
12
output
6
69
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
74
13
output
6
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
89
14
toString
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
73
15
output
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
98
16
build
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
56
62
1
username_reg
12
56
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
79
88
2
username_reg
12
79
attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
79
87
3
feedbackArgs
1
79
attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
79
107
4
build
1
79
attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
79
21
5
attackResult
12
79
attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
85
16
6
attackResult
12
85
return attackResult;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
51
56
1
userid_6a
9
51
public AttackResult completed(@RequestParam String userid_6a) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
52
32
2
userid_6a
9
52
return injectableQuery(userid_6a);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
3
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
4
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
153
6
query
5
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
130
7
output
1
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
165
8
build
1
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
52
31
9
injectableQuery
1
52
return injectableQuery(userid_6a);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
55
56
1
query
5
55
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
56
32
2
query
5
56
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
59
51
3
query
5
59
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
68
68
4
query
5
68
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
68
30
5
append
1
68
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
69
17
6
output
6
69
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
81
7
output
6
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
96
8
toString
1
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
80
9
output
1
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
105
10
build
1
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
56
31
11
injectableQuery
1
56
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
56
56
1
query
5
56
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
57
32
2
query
5
57
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
60
51
3
query
5
60
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
71
72
4
query
5
71
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
71
34
5
append
1
71
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
72
21
6
output
6
72
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
49
7
output
6
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
64
8
toString
1
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
48
9
output
1
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
73
10
build
1
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
57
31
11
injectableQuery
1
57
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
52
56
1
query
5
52
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
53
32
2
query
5
53
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
56
51
3
query
5
56
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
65
72
4
query
5
65
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
65
34
5
append
1
65
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
66
49
6
output
6
66
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
66
64
7
toString
1
66
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
66
48
8
output
1
66
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
66
73
9
build
1
66
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
53
31
10
injectableQuery
1
53
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
40
42
1
query
5
40
public AttackResult completed(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
41
32
2
query
5
41
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
44
51
3
query
5
44
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
50
17
4
query
5
50
if (query.matches(regex)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
51
68
5
query
5
51
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
51
30
6
append
1
51
output.append("<span class='feedback-positive'>" + query + "</span>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
52
45
7
output
6
52
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
52
60
8
toString
1
52
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
52
44
9
output
1
52
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
52
69
10
build
1
52
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
41
31
11
injectableQuery
1
41
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
56
1
account
7
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
32
2
account
7
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
98
6
query
5
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
51
7
output
1
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
110
8
build
1
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
31
9
injectableQuery
1
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
86
1
operator
8
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
48
2
operator
8
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
98
6
query
5
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
51
7
output
1
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
110
8
build
1
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
31
9
injectableQuery
1
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
117
1
injection
9
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
65
2
injection
9
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
98
6
query
5
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
51
7
output
1
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
75
110
8
build
1
75
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
31
9
injectableQuery
1
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
56
1
userid
6
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
45
2
userid
6
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
71
3
accountName
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
93
4
accountName
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
16
5
queryString
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
53
6
queryString
11
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
72
7
replace
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
64
43
8
output
1
64
return failed(this).output("Could not parse: " + login_count + " to a number"
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
97
9
build
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
31
10
injectableQuery
1
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
85
1
login_count
11
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
32
2
login_count
11
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
51
3
login_count
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
78
4
login_count
11
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
72
5
replace
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
64
43
6
output
1
64
return failed(this).output("Could not parse: " + login_count + " to a number"
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
97
7
build
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
31
8
injectableQuery
1
52
return injectableQuery(login_count, userid);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
45
56
1
url
3
45
public AttackResult completed(@RequestParam String url) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
46
24
2
url
3
46
return furBall(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
49
43
3
url
3
49
protected AttackResult furBall(String url) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
53
17
4
url
3
53
if (url.matches("http://ifconfig.pro")) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
54
33
5
url
3
54
URL u = new URL(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
54
25
6
URL
3
54
URL u = new URL(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
54
21
7
u
1
54
URL u = new URL(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
55
47
8
u
1
55
URLConnection urlConnection = u.openConnection();
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
55
63
9
openConnection
1
55
URLConnection urlConnection = u.openConnection();
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
55
31
10
urlConnection
13
55
URLConnection urlConnection = u.openConnection();
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
56
78
11
urlConnection
13
56
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
56
106
12
getInputStream
1
56
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
56
56
13
InputStreamReader
3
56
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
56
37
14
BufferedReader
3
56
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
56
32
15
in
2
56
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
59
37
16
in
2
59
while ((inputLine = in.readLine()) != null) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
59
48
17
readLine
1
59
while ((inputLine = in.readLine()) != null) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
59
52
18
!=
2
59
while ((inputLine = in.readLine()) != null) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
60
33
19
inputLine
9
60
html.append(inputLine);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
60
32
20
append
1
60
html.append(inputLine);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
66
33
21
html
4
66
.output(html.toString())
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
66
46
22
toString
1
66
.output(html.toString())
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
66
32
23
output
1
66
.output(html.toString())
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
67
31
24
build
1
67
.build();
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
46
23
25
furBall
1
46
return furBall(url);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
42
49
1
payload
7
42
AttackResult completed(@RequestParam String payload) {
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
49
2
payload
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
48
3
fromXML
1
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
13
4
contact
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
83
5
feedbackArgs
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
98
6
build
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
53
56
1
email
5
53
public AttackResult sendEmail(@RequestParam String email) {
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
54
46
2
email
5
54
String username = email.substring(0, email.indexOf("@"));
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
54
27
3
email
5
54
String username = email.substring(0, email.indexOf("@"));
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
67
89
4
email
5
67
return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
67
88
5
feedbackArgs
1
67
return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
67
101
6
build
1
67
return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
53
56
1
email
5
53
public AttackResult sendEmail(@RequestParam String email) {
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
54
46
2
email
5
54
String username = email.substring(0, email.indexOf("@"));
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
54
27
3
email
5
54
String username = email.substring(0, email.indexOf("@"));
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
54
42
4
substring
1
54
String username = email.substring(0, email.indexOf("@"));
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
54
16
5
username
8
54
String username = email.substring(0, email.indexOf("@"));
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
55
13
6
username
8
55
if (username.equalsIgnoreCase(getWebSession().getUserName())) {
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
69
93
7
username
8
69
return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
69
92
8
feedbackArgs
1
69
return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
69
108
9
build
1
69
return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
75
56
1
uniqueCode
10
75
public AttackResult completed(@RequestParam String uniqueCode) {
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
76
13
2
uniqueCode
10
76
if (uniqueCode.equals(StringUtils.reverse(getWebSession().getUserName()))) {
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
79
85
3
uniqueCode
10
79
return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
79
84
4
feedbackArgs
1
79
return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
79
102
5
build
1
79
return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
78
56
1
commentStr
10
78
public AttackResult addComment(@RequestBody String commentStr) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
80
13
2
commentStr
10
80
if (commentStr.contains(CONTENTS)) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
85
49
3
commentStr
10
85
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
87
39
4
xml
3
87
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
62
5
xml
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
45
6
StringReader
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
44
7
createXMLStreamReader
1
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
13
8
xsr
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
93
48
9
unmarshal
1
93
return (Comment) unmarshaller.unmarshal(xsr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
85
48
10
parseXml
1
85
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
85
21
11
comment
7
85
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
86
33
12
comment
7
86
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
105
36
13
comment
7
105
public void addComment(Comment comment, boolean visibleForAllUsers) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
14
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
15
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
16
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
17
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
109
25
18
add
1
109
comments.add(comment);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
86
32
19
addComment
1
86
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
90
22
20
failed
1
90
return failed(this).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
90
34
21
build
1
90
return failed(this).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
78
56
1
commentStr
10
78
public AttackResult addComment(@RequestBody String commentStr) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
80
13
2
commentStr
10
80
if (commentStr.contains(CONTENTS)) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
85
49
3
commentStr
10
85
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
87
39
4
xml
3
87
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
62
5
xml
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
45
6
StringReader
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
44
7
createXMLStreamReader
1
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
13
8
xsr
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
93
48
9
unmarshal
1
93
return (Comment) unmarshaller.unmarshal(xsr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
85
48
10
parseXml
1
85
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
85
21
11
comment
7
85
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
86
33
12
comment
7
86
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
105
36
13
comment
7
105
public void addComment(Comment comment, boolean visibleForAllUsers) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
14
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
15
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
16
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
17
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
109
25
18
add
1
109
comments.add(comment);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
86
32
19
addComment
1
86
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
88
26
20
failed
1
88
return failed(this).output(e.toString()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
88
39
21
output
1
88
return failed(this).output(e.toString()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
88
59
22
build
1
88
return failed(this).output(e.toString()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
53
59
1
commentStr
10
53
public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
64
53
2
commentStr
10
64
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
87
39
3
xml
3
87
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
62
4
xml
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
45
5
StringReader
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
44
6
createXMLStreamReader
1
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
13
7
xsr
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
93
48
8
unmarshal
1
93
return (Comment) unmarshaller.unmarshal(xsr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
64
52
9
parseXml
1
64
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
64
25
10
comment
7
64
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
65
37
11
comment
7
65
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
105
36
12
comment
7
105
public void addComment(Comment comment, boolean visibleForAllUsers) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
13
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
14
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
15
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
16
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
109
25
17
add
1
109
comments.add(comment);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
65
36
18
addComment
1
65
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
67
43
19
success
1
67
attackResult = success(this).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
67
55
20
build
1
67
attackResult = success(this).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
67
21
21
attackResult
12
67
attackResult = success(this).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
75
16
22
attackResult
12
75
return attackResult;
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
66
62
1
commentStr
10
66
public AttackResult createNewComment(@RequestBody String commentStr) throws Exception {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
69
49
2
commentStr
10
69
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
87
39
3
xml
3
87
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
62
4
xml
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
45
5
StringReader
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
44
6
createXMLStreamReader
1
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
13
7
xsr
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
93
48
8
unmarshal
1
93
return (Comment) unmarshaller.unmarshal(xsr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
69
48
9
parseXml
1
69
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
69
21
10
comment
7
69
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
70
33
11
comment
7
70
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
105
36
12
comment
7
105
public void addComment(Comment comment, boolean visibleForAllUsers) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
13
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
14
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
15
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
16
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
109
25
17
add
1
109
comments.add(comment);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
70
13
18
comments
8
70
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
72
31
19
success
1
72
return success(this).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
72
43
20
build
1
72
return success(this).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
66
62
1
commentStr
10
66
public AttackResult createNewComment(@RequestBody String commentStr) throws Exception {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
69
49
2
commentStr
10
69
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
87
39
3
xml
3
87
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
62
4
xml
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
45
5
StringReader
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
44
6
createXMLStreamReader
1
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
90
13
7
xsr
3
90
var xsr = xif.createXMLStreamReader(new StringReader(xml));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
93
48
8
unmarshal
1
93
return (Comment) unmarshaller.unmarshal(xsr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
69
48
9
parseXml
1
69
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
69
21
10
comment
7
69
Comment comment = comments.parseXml(commentStr);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
70
33
11
comment
7
70
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
105
36
12
comment
7
105
public void addComment(Comment comment, boolean visibleForAllUsers) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
13
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
106
28
14
setDateTime
1
106
comment.setDateTime(DateTime.now().toString(fmt));
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
15
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
107
24
16
setUser
1
107
comment.setUser(webSession.getUserName());
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
109
25
17
add
1
109
comments.add(comment);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
70
13
18
comments
8
70
comments.addComment(comment, false);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
77
22
19
failed
1
77
return failed(this).output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
77
35
20
output
1
77
return failed(this).output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
77
48
21
build
1
77
return failed(this).output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
45
66
1
userAgent
9
45
public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
59
2
userAgent
9
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
39
3
format
1
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
16
4
logLine
7
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
28
5
logLine
7
51
pw.println(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
27
6
println
1
51
pw.println(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
45
116
1
text
4
45
public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
70
2
text
4
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
39
3
format
1
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
16
4
logLine
7
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
28
5
logLine
7
51
pw.println(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
27
6
println
1
51
pw.println(logLine);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
56
62
1
username_reg
12
56
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
63
101
2
username_reg
12
63
String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
63
24
3
checkUserQuery
14
63
String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
65
62
4
checkUserQuery
14
65
ResultSet resultSet = statement.executeQuery(checkUserQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
65
61
5
executeQuery
1
65
ResultSet resultSet = statement.executeQuery(checkUserQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
51
56
1
userid_6a
9
51
public AttackResult completed(@RequestParam String userid_6a) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
52
32
2
userid_6a
9
52
return injectableQuery(userid_6a);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
3
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
4
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
6
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
7
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
48
89
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
49
13
2
userId
6
49
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
52
62
3
userId
6
52
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
4
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
5
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
6
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
7
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
8
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
48
101
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
18
2
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
3
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
4
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
5
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
6
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
7
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
53
62
8
userId
6
53
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
9
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
10
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
11
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
12
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
13
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
52
56
1
action_string
13
52
public AttackResult completed(@RequestParam String action_string) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
53
44
2
action_string
13
53
return injectableQueryAvailability(action_string);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
56
63
3
action
6
56
protected AttackResult injectableQueryAvailability(String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
58
74
4
action
6
58
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
58
16
5
query
5
58
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
60
6
query
5
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
59
7
executeQuery
1
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
55
56
1
query
5
55
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
56
32
2
query
5
56
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
59
51
3
query
5
59
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
62
56
4
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
62
55
5
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
56
56
1
query
5
56
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
57
32
2
query
5
57
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
60
51
3
query
5
60
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
65
41
4
query
5
65
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
65
40
5
executeUpdate
1
65
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
52
56
1
query
5
52
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
53
32
2
query
5
53
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
56
51
3
query
5
56
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
59
41
4
query
5
59
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
59
40
5
executeUpdate
1
59
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
56
1
account
7
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
32
2
account
7
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
60
6
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
7
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
86
1
operator
8
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
48
2
operator
8
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
60
6
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
7
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
117
1
injection
9
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
65
2
injection
9
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
60
6
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
7
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
56
1
name
4
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
47
2
name
4
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
66
3
name
4
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
72
4
name
4
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
60
6
query
5
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
59
7
executeQuery
1
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
56
1
name
4
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
47
2
name
4
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
66
3
name
4
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
72
4
name
4
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
64
33
6
query
5
64
log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
83
1
auth_tan
8
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
53
2
auth_tan
8
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
79
3
auth_tan
8
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
102
4
auth_tan
8
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
60
6
query
5
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
59
7
executeQuery
1
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
83
1
auth_tan
8
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
53
2
auth_tan
8
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
79
3
auth_tan
8
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
102
4
auth_tan
8
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
64
33
6
query
5
64
log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
56
1
name
4
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
41
2
name
4
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
60
3
name
4
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
72
4
name
4
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
65
53
6
query
5
65
SqlInjectionLesson8.log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
56
1
name
4
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
41
2
name
4
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
60
3
name
4
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
72
4
name
4
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
60
6
query
5
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
59
7
executeQuery
1
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
83
1
auth_tan
8
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
47
2
auth_tan
8
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
73
3
auth_tan
8
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
102
4
auth_tan
8
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
65
53
6
query
5
65
SqlInjectionLesson8.log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
83
1
auth_tan
8
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
47
2
auth_tan
8
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
73
3
auth_tan
8
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
102
4
auth_tan
8
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
60
6
query
5
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
59
7
executeQuery
1
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
51
52
1
username_login
14
51
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
129
2
username_login
14
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
70
3
prepareStatement
1
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
31
4
statement
9
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
35
5
statement
9
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
57
6
executeQuery
1
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
51
89
1
password_login
14
51
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
169
2
password_login
14
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
70
3
prepareStatement
1
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
31
4
statement
9
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
35
5
statement
9
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
57
6
executeQuery
1
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
56
1
userid
6
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
45
2
userid
6
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
71
3
accountName
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
93
4
accountName
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
16
5
queryString
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
58
67
6
queryString
11
58
PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
58
66
7
prepareStatement
1
58
PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
58
31
8
query
5
58
PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
68
13
9
query
5
68
query.setInt(1, count);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
71
37
10
query
5
71
ResultSet results = query.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
71
55
11
executeQuery
1
71
ResultSet results = query.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
69
51
1
column
6
69
public List<Server> sort(@RequestParam String column) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
73
189
2
column
6
73
PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
73
79
3
prepareStatement
1
73
PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
73
198
4
preparedStatement
1
73
PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
74
28
5
preparedStatement
17
74
ResultSet rs = preparedStatement.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
74
58
6
executeQuery
1
74
ResultSet rs = preparedStatement.executeQuery();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
56
59
1
executeQuery
1
56
ResultSet results = statement.executeQuery(query);
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
56
27
2
results
7
56
ResultSet results = statement.executeQuery(query);
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
60
40
3
next
1
60
while (results.next()) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
62
63
4
getString
1
62
userMap.put("first", results.getString(1));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
66
64
5
getString
1
66
userMap.put("cookie", results.getString(5));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
66
36
6
put
1
66
userMap.put("cookie", results.getString(5));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
67
25
7
userMap
7
67
userMap.put("loginCount", Integer.toString(results.getInt(6)));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
68
60
8
userMap
7
68
allUsersMap.put(results.getInt(0), userMap);
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
68
40
9
put
1
68
allUsersMap.put(results.getInt(0), userMap);
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
71
28
10
allUsersMap
11
71
return allUsersMap;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
1
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
27
2
results
7
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
67
3
results
7
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
88
47
4
results
7
88
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
103
32
5
next
1
103
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
6
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
7
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
29
8
append
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
107
21
9
t
1
107
t.append(", ");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
110
17
10
t
1
110
t.append("<br />");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
117
9
11
t
1
117
t.append("</p>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
17
12
t
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
27
13
toString
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
66
14
writeTable
1
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
34
15
append
1
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
63
16
output
6
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
25
17
output
6
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
83
25
18
output
6
83
output.append(appendingWhenSucceded);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
105
19
output
6
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
120
20
toString
1
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
104
21
feedbackArgs
1
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
130
22
output
1
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
84
165
23
build
1
84
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
52
31
24
injectableQuery
1
52
return injectableQuery(userid_6a);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
59
1
executeQuery
1
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
27
2
results
7
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
67
69
3
results
7
67
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
96
50
4
results
7
96
public static String generateTable(ResultSet results) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
111
32
5
next
1
111
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
43
6
results
7
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
60
7
getString
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
33
8
append
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
116
17
9
table
5
116
table.append("</tr>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
123
9
10
table
5
123
table.append("</table>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
17
11
table
5
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
31
12
toString
1
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
67
68
13
generateTable
1
67
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
67
34
14
append
1
67
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
68
85
15
output
6
68
return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
68
100
16
toString
1
68
return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
68
84
17
output
1
68
return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
68
109
18
build
1
68
return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
53
43
19
injectableQueryAvailability
1
53
return injectableQueryAvailability(action_string);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
62
55
1
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
62
23
2
results
7
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
69
65
3
results
7
69
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
96
50
4
results
7
96
public static String generateTable(ResultSet results) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
111
32
5
next
1
111
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
43
6
results
7
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
60
7
getString
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
33
8
append
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
116
17
9
table
5
116
table.append("</tr>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
123
9
10
table
5
123
table.append("</table>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
17
11
table
5
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
31
12
toString
1
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
69
64
13
generateTable
1
69
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
69
30
14
append
1
69
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
81
15
output
6
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
96
16
toString
1
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
80
17
output
1
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
70
105
18
build
1
70
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
56
31
19
injectableQuery
1
56
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
66
64
1
executeQuery
1
66
ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
66
27
2
results
7
66
ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
72
69
3
results
7
72
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
96
50
4
results
7
96
public static String generateTable(ResultSet results) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
111
32
5
next
1
111
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
43
6
results
7
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
60
7
getString
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
33
8
append
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
116
17
9
table
5
116
table.append("</tr>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
123
9
10
table
5
123
table.append("</table>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
17
11
table
5
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
31
12
toString
1
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
72
68
13
generateTable
1
72
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
72
34
14
append
1
72
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
49
15
output
6
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
64
16
toString
1
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
48
17
output
1
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
73
73
18
build
1
73
return success(this).output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
57
31
19
injectableQuery
1
57
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
1
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
27
2
results
7
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
68
46
3
results
7
68
output.append(writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
88
47
4
results
7
88
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
103
32
5
next
1
103
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
6
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
7
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
29
8
append
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
107
21
9
t
1
107
t.append(", ");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
110
17
10
t
1
110
t.append("<br />");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
117
9
11
t
1
117
t.append("</p>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
17
12
t
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
27
13
toString
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
68
45
14
writeTable
1
68
output.append(writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
68
34
15
append
1
68
output.append(writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
145
16
output
6
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
160
17
toString
1
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
144
18
feedbackArgs
1
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
169
19
build
1
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
31
20
injectableQuery
1
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
59
1
executeQuery
1
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
27
2
results
7
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
69
53
3
results
7
69
output.append(generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
96
50
4
results
7
96
public static String generateTable(ResultSet results) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
111
32
5
next
1
111
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
43
6
results
7
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
60
7
getString
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
33
8
append
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
116
17
9
table
5
116
table.append("</tr>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
123
9
10
table
5
123
table.append("</table>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
17
11
table
5
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
31
12
toString
1
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
69
52
13
generateTable
1
69
output.append(generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
69
38
14
append
1
69
output.append(generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
74
93
15
output
6
74
return success(this).feedback("sql-injection.8.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
74
108
16
toString
1
74
return success(this).feedback("sql-injection.8.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
74
92
17
output
1
74
return success(this).feedback("sql-injection.8.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
74
117
18
build
1
74
return success(this).feedback("sql-injection.8.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
46
19
injectableQueryConfidentiality
1
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
59
1
executeQuery
1
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
27
2
results
7
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
70
73
3
results
7
70
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
96
50
4
results
7
96
public static String generateTable(ResultSet results) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
111
32
5
next
1
111
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
43
6
results
7
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
60
7
getString
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
33
8
append
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
116
17
9
table
5
116
table.append("</tr>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
123
9
10
table
5
123
table.append("</table>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
17
11
table
5
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
31
12
toString
1
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
70
72
13
generateTable
1
70
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
70
38
14
append
1
70
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
81
51
15
output
6
81
return checkSalaryRanking(connection, output);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
89
81
16
output
6
89
private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
102
80
17
output
6
102
return failed(this).feedback("sql-injection.9.one").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
102
95
18
toString
1
102
return failed(this).feedback("sql-injection.9.one").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
102
79
19
output
1
102
return failed(this).feedback("sql-injection.9.one").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
102
104
20
build
1
102
return failed(this).feedback("sql-injection.9.one").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
81
38
21
checkSalaryRanking
1
81
return checkSalaryRanking(connection, output);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
40
22
injectableQueryIntegrity
1
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
94
59
1
executeQuery
1
94
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
94
27
2
results
7
94
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
99
69
3
results
7
99
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
96
50
4
results
7
96
public static String generateTable(ResultSet results) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
111
32
5
next
1
111
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
43
6
results
7
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
60
7
getString
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
114
33
8
append
1
114
table.append("<td>" + results.getString(i) + "</td>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
116
17
9
table
5
116
table.append("</tr>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
123
9
10
table
5
123
table.append("</table>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
17
11
table
5
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
124
31
12
toString
1
124
return (table.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
99
68
13
generateTable
1
99
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
99
34
14
append
1
99
output.append(SqlInjectionLesson8.generateTable(results));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
100
85
15
output
6
100
return success(this).feedback("sql-injection.9.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
100
100
16
toString
1
100
return success(this).feedback("sql-injection.9.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
100
84
17
output
1
100
return success(this).feedback("sql-injection.9.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
100
109
18
build
1
100
return success(this).feedback("sql-injection.9.success").output(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
81
38
19
checkSalaryRanking
1
81
return checkSalaryRanking(connection, output);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
40
20
injectableQueryIntegrity
1
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
71
55
1
executeQuery
1
71
ResultSet results = query.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
71
27
2
results
7
71
ResultSet results = query.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
77
67
3
results
7
77
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
88
47
4
results
7
88
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
103
32
5
next
1
103
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
6
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
7
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
29
8
append
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
107
21
9
t
1
107
t.append(", ");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
110
17
10
t
1
110
t.append("<br />");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
117
9
11
t
1
117
t.append("</p>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
17
12
t
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
27
13
toString
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
77
66
14
writeTable
1
77
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
77
34
15
append
1
77
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
163
16
output
6
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
178
17
toString
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
162
18
feedbackArgs
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
187
19
build
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
31
20
injectableQuery
1
52
return injectableQuery(login_count, userid);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
97
103
1
listFiles
1
97
.body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
97
66
2
arrayToCommaDelimitedString
1
97
.body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
97
115
3
getBytes
1
97
.body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
97
26
4
body
1
97
.body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes());
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
46
56
1
token
5
46
public AttackResult completed(@RequestParam String token) throws IOException {
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
52
20
2
token
5
52
b64token = token.replace('-', '+').replace('_', '/');
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
52
33
3
replace
1
52
b64token = token.replace('-', '+').replace('_', '/');
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
52
51
4
replace
1
52
b64token = token.replace('-', '+').replace('_', '/');
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
52
9
5
b64token
8
52
b64token = token.replace('-', '+').replace('_', '/');
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
54
112
6
b64token
8
54
try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
54
111
7
decode
1
54
try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
54
60
8
ByteArrayInputStream
3
54
try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
54
38
9
ObjectInputStream
3
54
try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
56
38
10
readObject
1
56
Object o = ois.readObject();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
42
49
1
payload
7
42
AttackResult completed(@RequestParam String payload) {
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
49
2
payload
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
48
3
fromXML
1
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
59
1
""\r""
4
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
2
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
3
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
4
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
5
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
6
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
7
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
41
1
""\n""
4
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
40
2
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
3
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
4
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
5
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
6
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
7
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
8
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
41
1
""-----END PRIVATE KEY-----""
27
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
40
2
replace
1
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
3
3
privateKeyPem
13
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
19
4
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
40
5
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
6
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
7
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
8
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
9
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
10
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
11
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
124
41
1
""-----BEGIN PRIVATE KEY-----""
29
124
privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
124
40
2
replace
1
124
privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
124
3
3
privateKeyPem
13
124
privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
19
4
privateKeyPem
13
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
40
5
replace
1
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
3
6
privateKeyPem
13
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
19
7
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
40
8
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
9
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
10
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
11
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
12
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
13
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
14
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
124
72
1
""""
2
124
privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
124
40
2
replace
1
124
privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
124
3
3
privateKeyPem
13
124
privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
19
4
privateKeyPem
13
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
40
5
replace
1
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
3
6
privateKeyPem
13
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
19
7
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
40
8
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
9
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
10
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
11
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
12
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
13
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
14
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
70
1
""""
2
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
40
2
replace
1
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
125
3
3
privateKeyPem
13
125
privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
19
4
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
40
5
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
6
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
7
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
8
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
9
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
10
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
11
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
47
1
""""
2
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
40
2
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
3
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
4
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
5
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
6
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
7
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
8
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
65
1
""""
2
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
58
2
replace
1
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
126
3
3
privateKeyPem
13
126
privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
53
4
privateKeyPem
13
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
52
5
decode
1
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
129
16
6
decoded
7
129
byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
131
59
7
decoded
7
131
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
88
23
1
""secret""
8
88
String jsonSecret = "secret";
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
88
10
2
jsonSecret
10
88
String jsonSecret = "secret";
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
89
70
3
jsonSecret
10
89
String jwtToken = jwtFinalEndpoint.encode(jsonHeader, jsonPayload, jsonSecret).replace(":", "")
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
92
42
4
jsonSecret
10
92
@RequestParam("jsonSecret") String jsonSecret) throws NoSuchAlgorithmException {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
105
110
5
jsonSecret
10
105
encodedSignature = TextCodec.BASE64URL.encode(getJWTSignature(jsonHeader, encodedHeader, encodedPayload, jsonSecret));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
117
107
6
jsonSecret
10
117
private byte[] getJWTSignature(String jsonHeader, String encodedHeader, String encodedPayload, String jsonSecret) throws NoSuchAlgorithmException, InvalidKeyException {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
124
78
7
jsonSecret
10
124
SecretKeySpec secret_key = new SecretKeySpec(TextCodec.BASE64.decode(jsonSecret), algorithm);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
124
77
8
decode
1
124
SecretKeySpec secret_key = new SecretKeySpec(TextCodec.BASE64.decode(jsonSecret), algorithm);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
25
35
1
nextInt
1
25
int j = random.nextInt(a.length);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
53
68
1
nextInt
1
53
String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
55
48
1
nextInt
1
55
String secret = SECRETS[new Random().nextInt(SECRETS.length)];
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
74
48
1
nextInt
1
74
String secret = SECRETS[new Random().nextInt(SECRETS.length)];
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
63
76
1
nextInt
1
63
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
69
76
1
nextInt
1
69
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
80
72
1
nextInt
1
80
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
51
97
1
nextInt
1
51
public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
25
35
1
nextInt
1
25
int j = random.nextInt(a.length);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
53
68
1
nextInt
1
53
String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
55
48
1
nextInt
1
55
String secret = SECRETS[new Random().nextInt(SECRETS.length)];
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
74
48
1
nextInt
1
74
String secret = SECRETS[new Random().nextInt(SECRETS.length)];
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
63
76
1
nextInt
1
63
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
69
76
1
nextInt
1
69
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
80
72
1
nextInt
1
80
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
51
97
1
nextInt
1
51
public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
56
62
1
username_reg
12
56
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
75
52
2
username_reg
12
75
preparedStatement.setString(1, username_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
75
48
3
setString
1
75
preparedStatement.setString(1, username_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
76
21
4
preparedStatement
17
76
preparedStatement.setString(2, email_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
77
21
5
preparedStatement
17
77
preparedStatement.setString(3, password_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
78
21
6
preparedStatement
17
78
preparedStatement.execute();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
78
46
7
execute
1
78
preparedStatement.execute();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
56
97
1
email_reg
9
56
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
76
52
2
email_reg
9
76
preparedStatement.setString(2, email_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
76
48
3
setString
1
76
preparedStatement.setString(2, email_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
77
21
4
preparedStatement
17
77
preparedStatement.setString(3, password_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
78
21
5
preparedStatement
17
78
preparedStatement.execute();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
78
46
6
execute
1
78
preparedStatement.execute();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
56
129
1
password_reg
12
56
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
77
52
2
password_reg
12
77
preparedStatement.setString(3, password_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
77
48
3
setString
1
77
preparedStatement.setString(3, password_reg);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
78
21
4
preparedStatement
17
78
preparedStatement.execute();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
78
46
5
execute
1
78
preparedStatement.execute();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
56
1
name
4
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
47
2
name
4
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
66
3
name
4
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
72
4
name
4
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
64
33
6
query
5
64
log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
83
1
auth_tan
8
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
53
2
auth_tan
8
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
79
3
auth_tan
8
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
102
4
auth_tan
8
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
64
33
6
query
5
64
log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
56
1
name
4
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
41
2
name
4
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
60
3
name
4
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
72
4
name
4
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
65
53
6
query
5
65
SqlInjectionLesson8.log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
83
1
auth_tan
8
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
47
2
auth_tan
8
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
73
3
auth_tan
8
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
102
4
auth_tan
8
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
65
53
6
query
5
65
SqlInjectionLesson8.log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
53
11
1
password
8
53
String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
59
16
1
password
8
59
String password = (String) json.get("password");
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
68
20
1
passwordTom
11
68
String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
61
16
1
password
8
61
String password = "dave";
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java
31
20
1
password
8
31
private String password = "";
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
51
32
1
usersToTomPassword
18
51
static Map<String, String> usersToTomPassword = Maps.newHashMap();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
49
38
1
args
4
49
public static void main(String[] args) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
85
2
element
7
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
39
3
println
1
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
33
38
1
args
4
33
public static void main(String[] args) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
38
27
2
args
4
38
String username = args[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
38
16
3
username
8
38
String username = args[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
40
68
4
username
8
40
System.out.println("Generation password reset link for " + username);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
40
27
5
println
1
40
System.out.println("Generation password reset link for " + username);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
45
116
1
text
4
45
public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
70
2
text
4
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
39
3
format
1
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
16
4
logLine
7
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
28
5
logLine
7
51
pw.println(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
27
6
println
1
51
pw.println(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
45
66
1
userAgent
9
45
public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
59
2
userAgent
9
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
39
3
format
1
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
16
4
logLine
7
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
28
5
logLine
7
51
pw.println(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
27
6
println
1
51
pw.println(logLine);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
40
56
1
password
8
40
public AttackResult completed(@RequestParam String password) {
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
48
43
2
password
8
48
output.append("<b>Length: </b>" + password.length() + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
48
58
3
length
1
48
output.append("<b>Length: </b>" + password.length() + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
48
22
4
append
1
48
output.append("<b>Length: </b>" + password.length() + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
49
9
5
output
6
49
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
9
6
output
6
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
52
13
7
output
6
52
output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\"> </div></br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
58
9
8
output
6
58
output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
68
9
9
output
6
68
output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
69
9
10
output
6
69
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
76
11
output
6
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
91
12
toString
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
75
13
output
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
100
14
build
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
44
1
password
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
43
2
measure
1
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
18
3
strength
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
49
94
4
strength
8
49
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
90
5
strength
8
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
107
6
getScore
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
22
7
append
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
52
13
8
output
6
52
output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\"> </div></br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
58
9
9
output
6
58
output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
68
9
10
output
6
68
output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
69
9
11
output
6
69
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
76
12
output
6
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
91
13
toString
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
75
14
output
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
72
100
15
build
1
72
return success(this).feedback("securepassword-success").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
40
56
1
password
8
40
public AttackResult completed(@RequestParam String password) {
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
48
43
2
password
8
48
output.append("<b>Length: </b>" + password.length() + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
48
58
3
length
1
48
output.append("<b>Length: </b>" + password.length() + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
48
22
4
append
1
48
output.append("<b>Length: </b>" + password.length() + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
49
9
5
output
6
49
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
9
6
output
6
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
52
13
7
output
6
52
output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\"> </div></br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
58
9
8
output
6
58
output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
68
9
9
output
6
68
output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
69
9
10
output
6
69
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
74
11
output
6
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
89
12
toString
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
73
13
output
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
98
14
build
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
44
1
password
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
43
2
measure
1
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
45
18
3
strength
8
45
Strength strength = zxcvbn.measure(password);
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
49
94
4
strength
8
49
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
90
5
strength
8
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
107
6
getScore
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
50
22
7
append
1
50
output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
52
13
8
output
6
52
output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\"> </div></br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
58
9
9
output
6
58
output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
68
9
10
output
6
68
output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
69
9
11
output
6
69
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
74
12
output
6
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
89
13
toString
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
73
14
output
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
74
98
15
build
1
74
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
39
63
1
text
1
39
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
39
34
2
replace
1
39
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
39
17
3
comment
7
39
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
40
27
4
comment
7
40
comment = comment.replace('STARS', result[i].stars)
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
40
34
5
replace
1
40
comment = comment.replace('STARS', result[i].stars)
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
40
17
6
comment
7
40
comment = comment.replace('STARS', result[i].stars)
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
41
35
7
comment
7
41
$("#list").append(comment);
webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
41
27
8
append
1
41
$("#list").append(comment);
webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
39
63
1
text
1
39
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
39
34
2
replace
1
39
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
39
17
3
comment
7
39
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
40
35
4
comment
7
40
$("#list").append(comment);
webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
40
27
5
append
1
40
$("#list").append(comment);
webgoat-lessons/xxe/src/main/resources/js/xxe.js
77
59
1
text
1
77
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/xxe/src/main/resources/js/xxe.js
77
30
2
replace
1
77
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/xxe/src/main/resources/js/xxe.js
77
13
3
comment
7
77
comment = comment.replace('COMMENT', result[i].text);
webgoat-lessons/xxe/src/main/resources/js/xxe.js
78
29
4
comment
7
78
$(field).append(comment);
webgoat-lessons/xxe/src/main/resources/js/xxe.js
78
21
5
append
1
78
$(field).append(comment);
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
62
61
1
""secret""
8
62
mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test")))
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
62
60
2
param
1
62
mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test")))
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
58
17
1
secret
6
58
md.update(secret.getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
58
32
2
getBytes
1
58
md.update(secret.getBytes());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
66
90
1
secret
6
66
public AttackResult execute(@RequestParam(value = "secret", required = false) String secret) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
67
86
2
secret
6
67
if (Sha512DigestUtils.shaHex(getWebSession().getUserName()).equalsIgnoreCase(secret)) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
45
56
1
url
3
45
public AttackResult completed(@RequestParam String url) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
46
24
2
url
3
46
return furBall(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
49
43
3
url
3
49
protected AttackResult furBall(String url) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
53
17
4
url
3
53
if (url.matches("http://ifconfig.pro")) {
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
54
33
5
url
3
54
URL u = new URL(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
54
25
6
URL
3
54
URL u = new URL(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
54
21
7
u
1
54
URL u = new URL(url);
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
55
47
8
u
1
55
URLConnection urlConnection = u.openConnection();
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
55
63
9
openConnection
1
55
URLConnection urlConnection = u.openConnection();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
75
67
1
request
7
75
public ResponseEntity<?> getProfilePicture(HttpServletRequest request) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
76
27
2
request
7
76
var queryParams = request.getQueryString();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
76
49
3
getQueryString
1
76
var queryParams = request.getQueryString();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
89
52
1
user
4
89
public void login(@RequestParam("user") String user, HttpServletResponse response) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
32
2
user
4
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
23
3
put
1
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
32
4
claims
6
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
31
5
setClaims
1
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
96
30
6
signWith
1
96
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
97
29
7
compact
1
97
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
94
20
8
token
5
94
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
56
9
token
5
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
29
10
Cookie
3
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
20
11
cookie
6
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
99
32
12
cookie
6
99
response.addCookie(cookie);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
99
31
13
addCookie
1
99
response.addCookie(cookie);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
100
13
14
response
8
100
response.setStatus(HttpStatus.OK.value());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
101
13
15
response
8
101
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
101
36
16
setContentType
1
101
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
89
52
1
user
4
89
public void login(@RequestParam("user") String user, HttpServletResponse response) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
32
2
user
4
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
23
3
put
1
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
32
4
claims
6
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
31
5
setClaims
1
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
96
30
6
signWith
1
96
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
97
29
7
compact
1
97
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
94
20
8
token
5
94
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
56
9
token
5
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
29
10
Cookie
3
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
20
11
cookie
6
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
99
32
12
cookie
6
99
response.addCookie(cookie);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
99
31
13
addCookie
1
99
response.addCookie(cookie);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
56
62
1
username_reg
12
56
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
63
101
2
username_reg
12
63
String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
63
24
3
checkUserQuery
14
63
String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
65
62
4
checkUserQuery
14
65
ResultSet resultSet = statement.executeQuery(checkUserQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
65
61
5
executeQuery
1
65
ResultSet resultSet = statement.executeQuery(checkUserQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
52
56
1
action_string
13
52
public AttackResult completed(@RequestParam String action_string) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
53
44
2
action_string
13
53
return injectableQueryAvailability(action_string);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
56
63
3
action
6
56
protected AttackResult injectableQueryAvailability(String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
58
74
4
action
6
58
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
58
16
5
query
5
58
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
60
6
query
5
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
59
7
executeQuery
1
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
48
51
1
request
7
48
public String getBasicAuth(HttpServletRequest request) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
50
31
2
request
7
50
String basicAuth = (String) request.getSession().getAttribute("basicAuth");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
51
21
3
request
7
51
String username = request.getUserPrincipal().getName();
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
51
45
4
getUserPrincipal
1
51
String username = request.getUserPrincipal().getName();
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
51
55
5
getName
1
51
String username = request.getUserPrincipal().getName();
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
51
10
6
username
8
51
String username = request.getUserPrincipal().getName();
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
54
29
7
username
8
54
basicAuth = getBasicAuth(username, password);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
42
43
8
username
8
42
public static String getBasicAuth(String username, String password) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
43
48
9
username
8
43
return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
43
63
10
concat
1
43
return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
43
75
11
concat
1
43
return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
43
94
12
getBytes
1
43
return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
43
47
13
encodeToString
1
43
return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
54
28
14
getBasicAuth
1
54
basicAuth = getBasicAuth(username, password);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
54
4
15
basicAuth
9
54
basicAuth = getBasicAuth(username, password);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
55
51
16
basicAuth
9
55
request.getSession().setAttribute("basicAuth", basicAuth);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
79
76
1
link
4
79
public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
83
31
2
link
4
83
form.setResetLink(link);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
83
30
3
setResetLink
1
83
form.setResetLink(link);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
84
40
4
form
4
84
model.addAttribute("form", form);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
49
38
1
args
4
49
public static void main(String[] args) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
67
2
element
7
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
58
3
File
3
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
96
73
1
JWT_PASSWORD
12
96
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
96
30
2
signWith
1
96
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
97
29
3
compact
1
97
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
94
20
4
token
5
94
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
56
5
token
5
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
29
6
Cookie
3
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
20
7
cookie
6
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
99
32
8
cookie
6
99
response.addCookie(cookie);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java
41
94
1
secretText
10
41
public AttackResult completed(@RequestParam String secretFileName, @RequestParam String secretText) throws NoSuchAlgorithmException {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java
43
60
2
secretText
10
43
if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
103
41
3
secret
6
103
public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
105
16
4
secret
6
105
md.update(secret.getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
105
31
5
getBytes
1
105
md.update(secret.getBytes());
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
105
15
6
update
1
105
md.update(secret.getBytes());
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
63
54
1
""SHA-256""
9
63
MessageDigest md = MessageDigest.getInstance("SHA-256");
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
63
53
2
getInstance
1
63
MessageDigest md = MessageDigest.getInstance("SHA-256");
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
63
23
3
md
2
63
MessageDigest md = MessageDigest.getInstance("SHA-256");
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
67
23
4
md
2
67
byte[] hash = md.digest(salted.getBytes("UTF-8"));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
67
32
5
digest
1
67
byte[] hash = md.digest(salted.getBytes("UTF-8"));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
63
54
1
""SHA-256""
9
63
MessageDigest md = MessageDigest.getInstance("SHA-256");
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
63
53
2
getInstance
1
63
MessageDigest md = MessageDigest.getInstance("SHA-256");
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
63
23
3
md
2
63
MessageDigest md = MessageDigest.getInstance("SHA-256");
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
67
23
4
md
2
67
byte[] hash = md.digest(salted.getBytes("UTF-8"));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
67
32
5
digest
1
67
byte[] hash = md.digest(salted.getBytes("UTF-8"));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
56
59
1
executeQuery
1
56
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
65
61
1
executeQuery
1
65
ResultSet resultSet = statement.executeQuery(checkUserQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
1
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
67
59
1
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
59
1
executeQuery
1
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
92
50
1
executeQuery
1
92
ResultSet results = stmt.executeQuery("SELECT * FROM access_log");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
62
55
1
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
65
40
1
executeUpdate
1
65
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
66
64
1
executeQuery
1
66
ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
59
40
1
executeUpdate
1
59
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
61
59
1
executeQuery
1
61
ResultSet results = statement.executeQuery("SELECT phone from employees;");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
1
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
59
1
executeQuery
1
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
1
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
59
1
executeQuery
1
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
94
59
1
executeQuery
1
94
ResultSet results = statement.executeQuery(query);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
57
1
executeQuery
1
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
78
46
1
execute
1
78
preparedStatement.execute();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java
54
57
1
executeQuery
1
54
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
71
55
1
executeQuery
1
71
ResultSet results = query.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
74
58
1
executeQuery
1
74
ResultSet rs = preparedStatement.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13.java
58
65
1
executeQuery
1
58
ResultSet resultSet = preparedStatement.executeQuery();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
26
89
1
readAllBytes
1
26
byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
135
31
1
read
1
135
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
31
1
read
1
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
56
38
1
readObject
1
56
Object o = ois.readObject();
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
21
34
1
readObject
1
21
Object o = ois.readObject();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
135
32
1
buffer
6
135
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
32
1
buffer
6
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
59
56
1
first
1
59
if ((results != null) && (results.first() == true)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
69
56
1
first
1
69
if ((results != null) && (results.first())) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
80
33
1
last
1
80
results.last();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
69
53
1
first
1
69
if (results != null && results.first()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
66
34
1
first
1
66
results.first();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
65
26
1
first
1
65
results.first();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
69
30
1
first
1
69
results.first();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
64
34
1
first
1
64
if (results.first()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
64
56
1
first
1
64
if ((results != null) && (results.first())) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
69
33
1
last
1
69
results.last();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
90
28
1
beforeFirst
1
90
results.beforeFirst();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
101
32
1
beforeFirst
1
101
results.beforeFirst();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
73
56
1
first
1
73
if ((results != null) && (results.first() == true)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
78
33
1
last
1
78
results.last();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
68
38
1
first
1
68
if (results.first()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
70
37
1
last
1
70
results.last();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
99
28
1
beforeFirst
1
99
results.beforeFirst();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
110
32
1
beforeFirst
1
110
results.beforeFirst();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
69
38
1
first
1
69
if (results.first()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
96
30
1
first
1
96
results.first();
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
38
22
1
writeLong
1
38
dos.writeLong(-8699352886133051976L);
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
30
24
1
writeObject
1
30
oos.writeObject(o);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
51
27
1
println
1
51
pw.println(logLine);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
97
103
1
listFiles
1
97
.body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes());
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
59
34
1
mkdir
1
59
targetDirectory.mkdir();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
67
34
1
mkdir
1
67
targetDirectory.mkdir();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
44
41
1
mkdirs
1
44
this.catPicturesDirectory.mkdirs();
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
57
18
1
path
4
57
@PostMapping(path = "/auth-bypass/verify-account", produces = {"application/json"})
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
72
21
1
path
4
72
@RequestMapping(path = "/challenge/flag", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java
52
18
1
path
4
52
@PostMapping(path = "/ChromeDevTools/network", params = "networkNum")
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
64
17
1
path
4
64
@GetMapping(path = "/CrossSiteScriptingStored/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
46
14
1
path
4
46
@GetMapping(path="/crypto/encoding/basic",produces=MediaType.TEXT_HTML_VALUE)
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
48
18
1
path
4
48
@RequestMapping(path="/crypto/hashing/md5",produces=MediaType.TEXT_HTML_VALUE)
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
68
18
1
path
4
68
@RequestMapping(path="/crypto/hashing/sha256",produces=MediaType.TEXT_HTML_VALUE)
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
50
18
1
path
4
50
@RequestMapping(path="/crypto/signing/getprivate",produces=MediaType.TEXT_HTML_VALUE)
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFConfirmFlag1.java
45
18
1
path
4
45
@PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"})
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
79
18
1
path
4
79
@PostMapping(path = "/csrf/feedback", produces = "application/json")
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
49
21
1
path
4
49
@RequestMapping(path = "/csrf/basic-get-flag", produces = {"application/json"}, method = RequestMethod.POST)
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
48
18
1
path
4
48
@PostMapping(path = "/csrf/login", produces = {"application/json"})
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
62
17
1
path
4
62
@GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequest.java
35
21
1
path
4
35
@RequestMapping(path = "/HttpProxies/intercept-request", method = {RequestMethod.POST, RequestMethod.GET})
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
39
17
1
path
4
39
@PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json")
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java
46
17
1
path
4
46
@GetMapping(path = "/IDOR/profile/{userId}", produces = {"application/json"})
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java
42
17
1
path
4
42
@GetMapping(path = {"/IDOR/own", "/IDOR/profile"}, produces = {"application/json"})
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
88
18
1
path
4
88
@PostMapping(path="/JWT/encode",produces=MediaType.TEXT_HTML_VALUE)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
130
18
1
path
4
130
@PostMapping(path="/JWT/decode",produces=MediaType.TEXT_HTML_VALUE)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
55
21
1
path
4
55
@RequestMapping(path = "/JWT/secret/gettoken", produces = MediaType.TEXT_HTML_VALUE)
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
45
18
1
path
4
45
@PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"})
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
53
21
1
path
4
53
@RequestMapping(path = {"users"}, method = RequestMethod.GET)
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
70
21
1
path
4
70
@RequestMapping(path = {"users", "/"}, method = RequestMethod.GET,consumes = "application/json")
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
82
21
1
path
4
82
@RequestMapping(path = {"users","/"}, method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java
44
18
1
path
4
44
@PostMapping(path = "/access-control/user-hash", produces = {"application/json"})
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
53
18
1
path
4
53
@PostMapping(path = "/PasswordReset/questions", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
56
18
1
path
4
56
@PostMapping(path = "/PasswordReset/simple-mail", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
76
18
1
path
4
76
@PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
51
18
1
path
4
51
@PostMapping(path = "xxe/content-type")
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
64
18
1
path
4
64
@PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
89
21
1
path
4
89
@RequestMapping(path = "/xxe/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
95
21
1
path
4
95
@RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
57
14
1
targetDirectory
15
57
File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
72
14
1
d
1
72
File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
65
14
1
targetDirectory
15
65
File targetDirectory = new File(webGoatHomeDirectory, "/XXE");
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
48
14
1
logFile
7
48
File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt");
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
79
14
1
targetFile
10
79
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
103
14
1
targetFile
10
103
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
50
30
1
pw
2
50
try (PrintWriter pw = new PrintWriter(logFile)) {
webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
52
61
1
toLowerCase
1
52
if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
52
70
2
equals
1
52
if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
40
48
1
toLowerCase
1
40
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
40
57
2
equals
1
40
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
48
31
1
toLowerCase
1
48
if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
48
41
2
matches
1
48
if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
66
31
1
toLowerCase
1
66
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
66
41
2
matches
1
66
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
69
35
1
toLowerCase
1
69
if (field1.toLowerCase().contains("console.log")) {
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
69
46
2
contains
1
69
if (field1.toLowerCase().contains("console.log")) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
117
121
1
toUpperCase
1
117
result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase()));
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
117
101
2
equals
1
117
result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase()));
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
108
43
1
toUpperCase
1
108
.printHexBinary(digest).toUpperCase();
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java
43
59
2
getHash
1
43
if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java
43
99
3
equalsIgnoreCase
1
43
if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
74
109
1
toUpperCase
1
74
if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
74
85
2
equals
1
74
if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) {
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java
42
45
1
toUpperCase
1
42
if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java
42
26
2
equals
1
42
if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java
45
50
1
toUpperCase
1
45
if (!"POST".equals(answer.toUpperCase())) {
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java
45
31
2
equals
1
45
if (!"POST".equals(answer.toUpperCase())) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
42
39
1
toLowerCase
1
42
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
42
46
2
trim
1
42
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
42
55
3
equals
1
42
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
42
95
1
toLowerCase
1
42
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
42
102
2
trim
1
42
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
42
111
3
equals
1
42
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
43
46
1
toLowerCase
1
43
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
43
53
2
trim
1
43
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
43
62
3
equals
1
43
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
43
102
1
toLowerCase
1
43
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
43
109
2
trim
1
43
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
43
118
3
equals
1
43
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
54
95
1
toLowerCase
1
54
if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
54
104
2
equals
1
54
if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
61
94
1
toLowerCase
1
61
if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
61
103
2
equals
1
61
if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
68
96
1
toLowerCase
1
68
if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
68
105
2
equals
1
68
if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
24
70
1
toLowerCase
1
24
private static String OS = System.getProperty("os.name").toLowerCase();
webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
24
24
2
OS
2
24
private static String OS = System.getProperty("os.name").toLowerCase();
webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
35
10
3
OS
2
35
if (OS.indexOf("win")>-1) {
webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
35
20
4
indexOf
1
35
if (OS.indexOf("win")>-1) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
102
30
1
toLowerCase
1
102
if (jsonHeader.toLowerCase().contains("none")) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
102
41
2
contains
1
102
if (jsonHeader.toLowerCase().contains("none")) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
59
60
1
toLowerCase
1
59
if ("webgoat".equalsIgnoreCase(username.toLowerCase())) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
59
39
2
equalsIgnoreCase
1
59
if ("webgoat".equalsIgnoreCase(username.toLowerCase())) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
63
61
1
toLowerCase
1
63
String validAnswer = COLORS.get(username.toLowerCase());
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
63
40
2
get
1
63
String validAnswer = COLORS.get(username.toLowerCase());
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
63
16
3
validAnswer
11
63
String validAnswer = COLORS.get(username.toLowerCase());
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
66
20
4
validAnswer
11
66
} else if (validAnswer.equals(securityQuestion)) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
66
38
5
equals
1
66
} else if (validAnswer.equals(securityQuestion)) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
84
49
1
toLowerCase
1
84
if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
84
60
2
contains
1
84
if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
48
80
1
toLowerCase
1
48
if (input.toLowerCase().contains(this.results[position].toLowerCase())) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
48
45
2
contains
1
48
if (input.toLowerCase().contains(this.results[position].toLowerCase())) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
48
34
1
toLowerCase
1
48
if (input.toLowerCase().contains(this.results[position].toLowerCase())) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
48
45
2
contains
1
48
if (input.toLowerCase().contains(this.results[position].toLowerCase())) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
1
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
2
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
3
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
4
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
5
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
53
62
6
userId
6
53
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
7
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
62
18
8
accountName
11
62
if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
62
37
9
matches
1
62
if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
1
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
2
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
3
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
4
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
5
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
53
62
6
userId
6
53
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
7
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
8
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
9
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
10
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
11
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
27
12
results
7
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
67
13
results
7
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
88
47
14
results
7
88
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
103
32
15
next
1
103
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
16
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
17
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
29
18
append
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
107
21
19
t
1
107
t.append(", ");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
110
17
20
t
1
110
t.append("<br />");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
117
9
21
t
1
117
t.append("</p>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
17
22
t
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
27
23
toString
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
66
24
writeTable
1
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
34
25
append
1
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
63
26
output
6
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
25
27
output
6
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
40
28
toString
1
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
51
29
contains
1
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
1
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
2
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
3
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
4
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
5
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
53
62
6
userId
6
53
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
7
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
8
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
9
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
10
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
11
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
27
12
results
7
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
67
13
results
7
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
88
47
14
results
7
88
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
103
32
15
next
1
103
while (results.next()) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
16
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
47
17
getString
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
106
29
18
append
1
106
t.append(results.getString(i));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
107
21
19
t
1
107
t.append(", ");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
110
17
20
t
1
110
t.append("<br />");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
117
9
21
t
1
117
t.append("</p>");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
17
22
t
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
118
27
23
toString
1
118
return (t.toString());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
66
24
writeTable
1
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
73
34
25
append
1
73
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
63
26
output
6
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
78
27
toString
1
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
82
89
28
contains
1
82
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
1
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
2
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
3
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
4
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
5
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
28
6
contains
1
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
56
62
1
username_reg
12
56
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
63
101
2
username_reg
12
63
String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
63
24
3
checkUserQuery
14
63
String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
65
62
4
checkUserQuery
14
65
ResultSet resultSet = statement.executeQuery(checkUserQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
65
61
5
executeQuery
1
65
ResultSet resultSet = statement.executeQuery(checkUserQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
51
56
1
userid_6a
9
51
public AttackResult completed(@RequestParam String userid_6a) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
52
32
2
userid_6a
9
52
return injectableQuery(userid_6a);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
3
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
4
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
6
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
7
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
48
89
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
49
13
2
userId
6
49
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
52
62
3
userId
6
52
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
4
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
5
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
6
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
7
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
8
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
48
101
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
18
2
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
3
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
4
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
5
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
6
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
7
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
53
62
8
userId
6
53
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
9
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
10
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
11
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
60
12
query
5
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
67
59
13
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
52
56
1
action_string
13
52
public AttackResult completed(@RequestParam String action_string) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
53
44
2
action_string
13
53
return injectableQueryAvailability(action_string);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
56
63
3
action
6
56
protected AttackResult injectableQueryAvailability(String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
58
74
4
action
6
58
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
58
16
5
query
5
58
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
60
6
query
5
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
63
59
7
executeQuery
1
63
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
55
56
1
query
5
55
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
56
32
2
query
5
56
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
59
51
3
query
5
59
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
62
56
4
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
62
55
5
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
56
56
1
query
5
56
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
57
32
2
query
5
57
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
60
51
3
query
5
60
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
65
41
4
query
5
65
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
65
40
5
executeUpdate
1
65
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
52
56
1
query
5
52
public AttackResult completed(@RequestParam String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
53
32
2
query
5
53
return injectableQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
56
51
3
query
5
56
protected AttackResult injectableQuery(String query) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
59
41
4
query
5
59
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
59
40
5
executeUpdate
1
59
statement.executeUpdate(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
56
1
account
7
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
32
2
account
7
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
60
6
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
7
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
86
1
operator
8
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
48
2
operator
8
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
60
6
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
7
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
117
1
injection
9
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
65
2
injection
9
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
60
6
query
5
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
62
59
7
executeQuery
1
62
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
56
1
name
4
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
47
2
name
4
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
66
3
name
4
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
72
4
name
4
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
60
6
query
5
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
59
7
executeQuery
1
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
56
1
name
4
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
47
2
name
4
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
66
3
name
4
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
72
4
name
4
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
64
33
6
query
5
64
log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
83
1
auth_tan
8
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
53
2
auth_tan
8
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
79
3
auth_tan
8
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
102
4
auth_tan
8
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
60
6
query
5
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
65
59
7
executeQuery
1
65
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
53
83
1
auth_tan
8
53
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
54
53
2
auth_tan
8
54
return injectableQueryConfidentiality(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
57
79
3
auth_tan
8
57
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
102
4
auth_tan
8
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
59
16
5
query
5
59
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
64
33
6
query
5
64
log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
56
1
name
4
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
41
2
name
4
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
60
3
name
4
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
72
4
name
4
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
65
53
6
query
5
65
SqlInjectionLesson8.log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
56
1
name
4
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
41
2
name
4
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
60
3
name
4
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
72
4
name
4
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
60
6
query
5
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
59
7
executeQuery
1
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
83
1
auth_tan
8
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
47
2
auth_tan
8
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
73
3
auth_tan
8
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
102
4
auth_tan
8
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
65
53
6
query
5
65
SqlInjectionLesson8.log(connection, query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
127
58
7
action
6
127
public static void log(Connection connection, String action) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
18
8
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
32
9
replace
1
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
128
9
10
action
6
128
action = action.replace('\'', '"');
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
95
11
action
6
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
133
16
12
logQuery
8
133
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
37
13
logQuery
8
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
137
36
14
executeUpdate
1
137
statement.executeUpdate(logQuery);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
55
83
1
auth_tan
8
55
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
47
2
auth_tan
8
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
59
73
3
auth_tan
8
59
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
102
4
auth_tan
8
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
61
16
5
query
5
61
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
60
6
query
5
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
66
59
7
executeQuery
1
66
ResultSet results = statement.executeQuery(query);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
51
52
1
username_login
14
51
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
129
2
username_login
14
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
70
3
prepareStatement
1
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
31
4
statement
9
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
35
5
statement
9
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
57
6
executeQuery
1
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
51
89
1
password_login
14
51
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
169
2
password_login
14
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
70
3
prepareStatement
1
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
59
31
4
statement
9
59
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
35
5
statement
9
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
60
57
6
executeQuery
1
60
ResultSet resultSet = statement.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
56
1
userid
6
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
45
2
userid
6
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
71
3
accountName
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
93
4
accountName
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
16
5
queryString
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
58
67
6
queryString
11
58
PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
58
66
7
prepareStatement
1
58
PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
58
31
8
query
5
58
PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
68
13
9
query
5
68
query.setInt(1, count);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
71
37
10
query
5
71
ResultSet results = query.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
71
55
11
executeQuery
1
71
ResultSet results = query.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
69
51
1
column
6
69
public List<Server> sort(@RequestParam String column) throws Exception {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
73
189
2
column
6
73
PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
73
79
3
prepareStatement
1
73
PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
73
198
4
preparedStatement
1
73
PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
74
28
5
preparedStatement
17
74
ResultSet rs = preparedStatement.executeQuery();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
74
58
6
executeQuery
1
74
ResultSet rs = preparedStatement.executeQuery();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
66
30
1
e
1
66
} catch (IOException e) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
67
71
2
e
1
67
return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
67
70
3
getStackTrace
1
67
return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
67
41
4
feedback
1
67
return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
67
80
5
build
1
67
return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
119
38
1
e
1
119
} catch (ExpiredJwtException e) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
120
29
2
e
1
120
user = (String) e.getClaims().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
120
40
3
getClaims
1
120
user = (String) e.getClaims().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
120
46
4
get
1
120
user = (String) e.getClaims().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
120
13
5
user
4
120
user = (String) e.getClaims().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
39
6
user
4
128
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
67
56
7
user
4
67
private Map<String, Object> createNewTokens(String user) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
28
8
user
4
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
19
9
put
1
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
28
10
claims
6
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
27
11
setClaims
1
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
74
26
12
signWith
1
74
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
75
25
13
compact
1
75
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
71
16
14
token
5
71
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
39
15
token
5
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
22
16
put
1
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
80
9
17
tokenJson
9
80
tokenJson.put("refresh_token", refreshToken);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
81
16
18
tokenJson
9
81
return tokenJson;
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
38
19
createNewTokens
1
128
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
22
20
ok
1
128
return ok(createNewTokens(user));
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
74
35
1
sqle
4
74
} catch (SQLException sqle) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
75
17
2
sqle
4
75
sqle.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
75
37
3
printStackTrace
1
75
sqle.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
83
32
1
e
1
83
} catch (Exception e) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
84
17
2
e
1
84
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
88
17
3
e
1
88
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
88
34
4
printStackTrace
1
88
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
83
32
1
e
1
83
} catch (Exception e) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
84
17
2
e
1
84
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
84
34
3
printStackTrace
1
84
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
99
39
1
sqle
4
99
} catch (SQLException sqle) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
100
21
2
sqle
4
100
sqle.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
100
41
3
printStackTrace
1
100
sqle.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
104
28
1
e
1
104
} catch (Exception e) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
105
13
2
e
1
105
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
109
13
3
e
1
109
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
109
30
4
printStackTrace
1
109
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
104
28
1
e
1
104
} catch (Exception e) {
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
105
13
2
e
1
105
e.printStackTrace();
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
105
30
3
printStackTrace
1
105
e.printStackTrace();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
92
42
1
e
1
92
} catch (RestClientException e) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
93
103
2
e
1
93
return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
93
115
3
getMessage
1
93
return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
93
102
4
output
1
93
return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
93
124
5
build
1
93
return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
73
25
6
sendEmail
1
73
return sendEmail(extractUsername(email), email);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
72
35
1
sqle
4
72
} catch (SQLException sqle) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
73
17
2
sqle
4
73
sqle.printStackTrace();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
73
37
3
printStackTrace
1
73
sqle.printStackTrace();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
76
28
1
e
1
76
} catch (Exception e) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
77
13
2
e
1
77
e.printStackTrace();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
77
30
3
printStackTrace
1
77
e.printStackTrace();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
76
35
1
e
1
76
} catch (SQLException e) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
77
36
2
e
1
77
System.err.println(e.getMessage());
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
78
117
3
e
1
78
return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
78
129
4
getMessage
1
78
return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
78
75
5
output
1
78
return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
78
150
6
build
1
78
return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
56
40
7
injectableQueryIntegrity
1
56
return injectableQueryIntegrity(name, auth_tan);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
102
28
1
exception
9
102
} catch (Exception exception) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
103
13
2
exception
9
103
exception.printStackTrace();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
103
38
3
printStackTrace
1
103
exception.printStackTrace();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
54
28
1
ex
2
54
} catch (Exception ex) {
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
55
80
2
ex
2
55
return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
55
93
3
getMessage
1
55
return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
55
79
4
output
1
55
return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
55
102
5
build
1
55
return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
65
28
1
e
1
65
} catch (Exception e) {
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
66
80
2
e
1
66
return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
66
92
3
getMessage
1
66
return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
66
79
4
output
1
66
return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
66
101
5
build
1
66
return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
64
42
1
e
1
64
} catch (RestClientException e ) {
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
65
89
2
e
1
65
return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
65
101
3
getMessage
1
65
return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
65
88
4
output
1
65
return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build();
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
65
110
5
build
1
65
return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
87
28
1
e
1
87
} catch (Exception e) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
88
40
2
e
1
88
return failed(this).output(e.toString()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
88
50
3
toString
1
88
return failed(this).output(e.toString()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
88
39
4
output
1
88
return failed(this).output(e.toString()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
88
59
5
build
1
88
return failed(this).output(e.toString()).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
69
32
1
e
1
69
} catch (Exception e) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
70
92
2
e
1
70
error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
70
91
3
getFullStackTrace
1
70
error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
70
17
4
error
5
70
error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
71
94
5
error
5
71
attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
71
93
6
output
1
71
attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
71
106
7
build
1
71
attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
71
17
8
attackResult
12
71
attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
75
16
9
attackResult
12
75
return attackResult;
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
74
28
1
e
1
74
} catch (Exception e) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
75
54
2
e
1
75
error = ExceptionUtils.getFullStackTrace(e);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
75
53
3
getFullStackTrace
1
75
error = ExceptionUtils.getFullStackTrace(e);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
75
13
4
error
5
75
error = ExceptionUtils.getFullStackTrace(e);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
77
36
5
error
5
77
return failed(this).output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
77
35
6
output
1
77
return failed(this).output(error).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
77
48
7
build
1
77
return failed(this).output(error).build();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
50
1
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
175
2
BinaryExpr
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
165
1
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
175
2
BinaryExpr
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
147
1
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
165
2
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
175
3
BinaryExpr
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
130
1
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
147
2
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
165
3
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
175
4
BinaryExpr
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
108
1
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
130
2
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
147
3
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
165
4
replace
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
138
175
5
BinaryExpr
1
138
return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
91
84
1
replace
1
91
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
91
70
2
parse
1
91
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
91
17
3
jwt
3
91
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
92
38
4
jwt
3
92
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
92
49
5
getBody
1
92
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
92
20
6
claims
6
92
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
93
36
7
claims
6
93
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
93
46
8
get
1
93
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
93
20
9
user
4
93
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
81
10
user
4
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
80
11
feedbackArgs
1
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
92
12
build
1
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
97
22
13
ok
1
97
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
116
100
1
replace
1
116
Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
116
86
2
parse
1
116
Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
116
33
3
jwt
3
116
Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
29
4
jwt
3
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
40
5
getBody
1
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
46
6
get
1
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
117
13
7
user
4
117
user = (String) jwt.getBody().get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
39
8
user
4
128
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
67
56
9
user
4
67
private Map<String, Object> createNewTokens(String user) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
28
10
user
4
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
70
19
11
put
1
70
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
28
12
claims
6
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
73
27
13
setClaims
1
73
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
74
26
14
signWith
1
74
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
75
25
15
compact
1
75
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
71
16
16
token
5
71
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
39
17
token
5
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
79
22
18
put
1
79
tokenJson.put("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
80
9
19
tokenJson
9
80
tokenJson.put("refresh_token", refreshToken);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
81
16
20
tokenJson
9
81
return tokenJson;
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
38
21
createNewTokens
1
128
return ok(createNewTokens(user));
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
128
22
22
ok
1
128
return ok(createNewTokens(user));
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
27
71
1
replace
1
27
return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
26
63
2
fullName
8
26
protected AttackResult execute(MultipartFile file, String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
58
3
fullName
8
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
32
4
File
3
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
17
5
uploadedFile
12
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
27
71
1
replace
1
27
return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
26
63
2
fullName
8
26
protected AttackResult execute(MultipartFile file, String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
58
3
fullName
8
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
32
4
File
3
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
17
5
uploadedFile
12
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
48
129
6
getAbsoluteFile
1
48
return informationMessage(this).feedback("path-traversal-profile-updated").feedbackArgs(uploadedFile.getAbsoluteFile()).build();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
48
100
7
feedbackArgs
1
48
return informationMessage(this).feedback("path-traversal-profile-updated").feedbackArgs(uploadedFile.getAbsoluteFile()).build();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
48
138
8
build
1
48
return informationMessage(this).feedback("path-traversal-profile-updated").feedbackArgs(uploadedFile.getAbsoluteFile()).build();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
27
29
9
execute
1
27
return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
72
1
replace
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
64
43
2
output
1
64
return failed(this).output("Could not parse: " + login_count + " to a number"
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
97
3
build
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
31
4
injectableQuery
1
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
130
1
replace
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
89
2
output
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
162
3
feedbackArgs
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
187
4
build
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
31
5
injectableQuery
1
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
84
117
1
replace
1
84
return failed(this).output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
84
51
2
output
1
84
return failed(this).output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
84
142
3
build
1
84
return failed(this).output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
31
4
injectableQuery
1
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
128
1
replace
1
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
87
2
output
1
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
153
3
build
1
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
31
4
injectableQuery
1
52
return injectableQuery(login_count, userid);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
108
1
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
11
2
payload
7
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
49
3
payload
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
48
4
fromXML
1
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
13
5
contact
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
83
6
feedbackArgs
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
98
7
build
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
89
1
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
108
2
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
11
3
payload
7
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
49
4
payload
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
48
5
fromXML
1
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
13
6
contact
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
83
7
feedbackArgs
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
98
8
build
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
71
1
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
89
2
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
108
3
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
11
4
payload
7
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
49
5
payload
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
48
6
fromXML
1
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
13
7
contact
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
83
8
feedbackArgs
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
98
9
build
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
53
1
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
71
2
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
89
3
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
108
4
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
11
5
payload
7
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
49
6
payload
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
48
7
fromXML
1
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
13
8
contact
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
83
9
feedbackArgs
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
98
10
build
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
36
1
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
53
2
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
71
3
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
89
4
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
108
5
replace
1
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
51
11
6
payload
7
51
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
49
7
payload
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
48
8
fromXML
1
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
53
13
9
contact
7
53
contact = (Contact) xstream.fromXML(payload);
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
83
10
feedbackArgs
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
68
98
11
build
1
68
return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
51
56
1
userid_6a
9
51
public AttackResult completed(@RequestParam String userid_6a) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
52
32
2
userid_6a
9
52
return injectableQuery(userid_6a);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
3
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
4
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
119
6
query
5
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
96
7
output
1
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
48
89
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
49
13
2
userId
6
49
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
52
62
3
userId
6
52
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
4
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
5
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
6
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
119
7
query
5
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
96
8
output
1
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
48
101
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
18
2
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
3
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
4
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
5
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
6
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
7
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
53
62
8
userId
6
53
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
9
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
10
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
11
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
119
12
query
5
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
96
13
output
1
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
56
1
account
7
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
32
2
account
7
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
78
109
6
query
5
78
return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
78
87
7
output
1
78
return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
56
1
account
7
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
32
2
account
7
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
111
6
query
5
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
89
7
output
1
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
86
1
operator
8
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
48
2
operator
8
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
78
109
6
query
5
78
return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
78
87
7
output
1
78
return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
86
1
operator
8
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
48
2
operator
8
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
111
6
query
5
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
89
7
output
1
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
117
1
injection
9
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
65
2
injection
9
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
78
109
6
query
5
78
return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
78
87
7
output
1
78
return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
53
117
1
injection
9
53
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
54
65
2
injection
9
54
return injectableQuery(account + " " + operator + " " + injection);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
57
51
3
accountName
11
57
protected AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
93
4
accountName
11
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
111
6
query
5
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
73
89
7
output
1
73
return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
85
1
login_count
11
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
32
2
login_count
11
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
51
3
login_count
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
136
4
login_count
11
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
130
5
replace
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
89
6
output
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
85
1
login_count
11
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
32
2
login_count
11
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
51
3
login_count
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
78
4
login_count
11
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
72
5
replace
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
64
43
6
output
1
64
return failed(this).output("Could not parse: " + login_count + " to a number"
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
85
1
login_count
11
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
32
2
login_count
11
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
51
3
login_count
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
134
4
login_count
11
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
128
5
replace
1
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
87
6
output
1
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
56
1
userid
6
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
45
2
userid
6
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
71
3
accountName
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
93
4
accountName
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
16
5
queryString
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
111
6
queryString
11
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
130
7
replace
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
82
89
8
output
1
82
return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
56
1
userid
6
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
45
2
userid
6
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
71
3
accountName
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
93
4
accountName
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
16
5
queryString
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
53
6
queryString
11
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
65
72
7
replace
1
65
+ "<br> Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
64
43
8
output
1
64
return failed(this).output("Could not parse: " + login_count + " to a number"
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
51
56
1
userid
6
51
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
52
45
2
userid
6
52
return injectableQuery(login_count, userid);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
55
71
3
accountName
11
55
protected AttackResult injectableQuery(String login_count, String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
93
4
accountName
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
56
16
5
queryString
11
56
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
109
6
queryString
11
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
128
7
replace
1
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
88
87
8
output
1
88
return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java
31
87
1
file
4
31
public AttackResult uploadFileHandler(@RequestParam("uploadedFile") MultipartFile file, @RequestParam(value = "fullName", required = false) String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java
32
30
2
file
4
32
return super.execute(file, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
25
60
1
file
4
25
@RequestParam("uploadedFileFix") MultipartFile file,
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
27
30
2
file
4
27
return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java
26
102
1
file
4
26
public AttackResult uploadFileHandler(@RequestParam("uploadedFileRemoveUserInput") MultipartFile file) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java
27
30
2
file
4
27
return super.execute(file, file.getOriginalFilename());
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
92
24
1
""admin""
7
92
claims.put("admin", "false");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
92
23
2
put
1
92
claims.put("admin", "false");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
13
3
claims
6
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
32
4
claims
6
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
31
5
setClaims
1
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
96
30
6
signWith
1
96
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
97
29
7
compact
1
97
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
94
20
8
token
5
94
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
56
9
token
5
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
92
33
1
""false""
7
92
claims.put("admin", "false");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
92
23
2
put
1
92
claims.put("admin", "false");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
13
3
claims
6
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
32
4
claims
6
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
31
5
setClaims
1
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
96
30
6
signWith
1
96
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
97
29
7
compact
1
97
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
94
20
8
token
5
94
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
56
9
token
5
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
24
1
""user""
6
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
93
23
2
put
1
93
claims.put("user", user);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
32
3
claims
6
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
95
31
4
setClaims
1
95
.setClaims(claims)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
96
30
5
signWith
1
96
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
97
29
6
compact
1
97
.compact();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
94
20
7
token
5
94
String token = Jwts.builder()
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
98
56
8
token
5
98
Cookie cookie = new Cookie("access_token", token);
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
72
1
""alg""
5
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
71
2
setHeaderParam
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
94
3
compact
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
16
4
token
5
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
78
52
5
token
5
78
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
71
20
1
""admin""
7
71
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
71
19
2
put
1
71
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
72
9
3
claims
6
72
claims.put("user", "Tom");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
49
4
claims
6
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
48
5
setClaims
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
71
6
setHeaderParam
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
94
7
compact
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
16
8
token
5
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
78
52
9
token
5
78
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
71
29
1
""true""
6
71
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
71
19
2
put
1
71
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
72
9
3
claims
6
72
claims.put("user", "Tom");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
49
4
claims
6
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
48
5
setClaims
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
71
6
setHeaderParam
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
94
7
compact
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
16
8
token
5
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
78
52
9
token
5
78
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
72
20
1
""user""
6
72
claims.put("user", "Tom");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
72
19
2
put
1
72
claims.put("user", "Tom");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
49
3
claims
6
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
48
4
setClaims
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
71
5
setHeaderParam
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
94
6
compact
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
16
7
token
5
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
78
52
8
token
5
78
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
72
28
1
""Tom""
5
72
claims.put("user", "Tom");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
72
19
2
put
1
72
claims.put("user", "Tom");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
49
3
claims
6
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
48
4
setClaims
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
71
5
setHeaderParam
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
94
6
compact
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
16
7
token
5
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
78
52
8
token
5
78
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
79
1
""none""
6
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
71
2
setHeaderParam
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
94
3
compact
1
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
73
16
4
token
5
73
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
78
52
5
token
5
78
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
187
20
1
""admin""
7
187
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
187
19
2
put
1
187
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
188
9
3
claims
6
188
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
114
4
claims
6
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
113
5
setClaims
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
129
6
compact
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
16
7
token
5
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
192
52
8
token
5
192
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
187
29
1
""true""
6
187
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
187
19
2
put
1
187
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
188
9
3
claims
6
188
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
114
4
claims
6
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
113
5
setClaims
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
129
6
compact
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
16
7
token
5
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
192
52
8
token
5
192
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
188
20
1
""user""
6
188
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
188
19
2
put
1
188
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
114
3
claims
6
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
113
4
setClaims
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
129
5
compact
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
16
6
token
5
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
192
52
7
token
5
192
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
188
28
1
""Intruder""
10
188
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
188
19
2
put
1
188
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
114
3
claims
6
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
113
4
setClaims
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
129
5
compact
1
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
189
16
6
token
5
189
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
192
52
7
token
5
192
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
199
20
1
""admin""
7
199
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
199
19
2
put
1
199
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
200
9
3
claims
6
200
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
114
4
claims
6
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
113
5
setClaims
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
129
6
compact
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
16
7
token
5
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
204
52
8
token
5
204
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
199
29
1
""true""
6
199
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
199
19
2
put
1
199
claims.put("admin", "true");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
200
9
3
claims
6
200
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
114
4
claims
6
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
113
5
setClaims
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
129
6
compact
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
16
7
token
5
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
204
52
8
token
5
204
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
200
20
1
""user""
6
200
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
200
19
2
put
1
200
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
114
3
claims
6
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
113
4
setClaims
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
129
5
compact
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
16
6
token
5
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
204
52
7
token
5
204
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
200
28
1
""Intruder""
10
200
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
200
19
2
put
1
200
claims.put("user", "Intruder");
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
114
3
claims
6
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
113
4
setClaims
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
129
5
compact
1
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
201
16
6
token
5
201
String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
204
52
7
token
5
204
.cookie(new Cookie("access_token", token)))
webgoat-lessons/jwt/src/main/resources/js/jwt-refresh.js
10
53
1
""bm5nhSkxCXZkKRy4""
18
10
data: JSON.stringify({user: user, password: "bm5nhSkxCXZkKRy4"})
webgoat-lessons/jwt/src/main/resources/js/jwt-refresh.js
10
43
2
password
8
10
data: JSON.stringify({user: user, password: "bm5nhSkxCXZkKRy4"})
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
15
1
""\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B""
46
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
144
1
""\x73\x65\x6E\x64""
18
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
14
2
Array
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
6
3
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
5
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
229
6
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
220
7
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
105
1
""\x73\x74\x72\x69\x6E\x67\x69\x66\x79""
38
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
62
1
""\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C""
42
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
15
1
""\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B""
46
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
144
1
""\x73\x65\x6E\x64""
18
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
14
2
Array
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
6
3
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
5
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
229
6
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
220
7
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
105
1
""\x73\x74\x72\x69\x6E\x67\x69\x66\x79""
38
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
62
1
""\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C""
42
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/ssrf/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
15
1
""\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B""
46
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
144
1
""\x73\x65\x6E\x64""
18
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
14
2
Array
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
6
3
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
5
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
229
6
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
220
7
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
105
1
""\x73\x74\x72\x69\x6E\x67\x69\x66\x79""
38
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
62
1
""\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C""
42
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
6
2
_0xb7f9
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
3
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
199
4
_0xb7f9
1
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
229
5
1
7
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
5
220
6
password
8
5
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java
34
12
1
PASSWORD
8
34
String PASSWORD = "!!webgoat_admin_1234!!";
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java
35
12
1
PASSWORD_TOM
12
35
String PASSWORD_TOM = "thisisasecretfortomonly";
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java
36
12
1
ADMIN_PASSWORD_LINK
19
36
String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
48
32
1
PASSWORD
8
48
public static final String PASSWORD = "bm5nhSkxCXZkKRy4";
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
49
33
1
JWT_PASSWORD
12
49
private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
48
25
1
PASSWORD_TOM_9
14
48
static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
61
16
1
password
8
61
String password = "dave";
webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
24
47
1
getProperty
1
24
private static String OS = System.getProperty("os.name").toLowerCase();
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
59
34
1
mkdir
1
59
targetDirectory.mkdir();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
67
34
1
mkdir
1
67
targetDirectory.mkdir();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
44
41
1
mkdirs
1
44
this.catPicturesDirectory.mkdirs();
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
58
36
1
exists
1
58
if (!targetDirectory.exists()) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
66
36
1
exists
1
66
if (!targetDirectory.exists()) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
75
67
1
request
7
75
public ResponseEntity<?> getProfilePicture(HttpServletRequest request) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
76
27
2
request
7
76
var queryParams = request.getQueryString();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
22
3
request
7
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
42
4
getParameter
1
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
17
5
id
2
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
82
30
6
File
3
82
var catPicture = new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
43
1
""id""
4
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
42
2
getParameter
1
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
81
17
3
id
2
81
var id = request.getParameter("id");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
82
30
4
File
3
82
var catPicture = new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java
26
102
1
file
4
26
public AttackResult uploadFileHandler(@RequestParam("uploadedFileRemoveUserInput") MultipartFile file) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java
27
36
2
file
4
27
return super.execute(file, file.getOriginalFilename());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java
27
60
3
getOriginalFilename
1
27
return super.execute(file, file.getOriginalFilename());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
26
63
4
fullName
8
26
protected AttackResult execute(MultipartFile file, String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
58
5
fullName
8
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
32
6
File
3
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java
31
152
1
fullName
8
31
public AttackResult uploadFileHandler(@RequestParam("uploadedFile") MultipartFile file, @RequestParam(value = "fullName", required = false) String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java
32
36
2
fullName
8
32
return super.execute(file, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
26
63
3
fullName
8
26
protected AttackResult execute(MultipartFile file, String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
58
4
fullName
8
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
32
5
File
3
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
26
75
1
fullName
8
26
@RequestParam(value = "fullNameFix", required = false) String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
27
55
2
fullName
8
27
return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
27
71
3
replace
1
27
return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
26
63
4
fullName
8
26
protected AttackResult execute(MultipartFile file, String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
58
5
fullName
8
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
41
32
6
File
3
41
var uploadedFile = new File(uploadDirectory, fullName);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
69
78
1
getCookies
1
69
boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().contains(MediaType.TEXT_PLAIN_VALUE);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
99
59
2
cookies
7
99
private boolean requestContainsWebGoatCookie(Cookie[] cookies) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
101
29
3
cookies
7
101
for (Cookie c : cookies) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
102
21
4
c
1
102
if (c.getName().equals("JSESSIONID")) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
102
30
5
getName
1
102
if (c.getName().equals("JSESSIONID")) {
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
102
39
6
equals
1
102
if (c.getName().equals("JSESSIONID")) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
112
103
1
accessToken
11
112
public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
118
75
2
accessToken
11
118
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
118
74
3
parse
1
118
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
118
21
4
jwt
3
118
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
119
42
5
jwt
3
119
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
119
53
6
getBody
1
119
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
119
24
7
claims
6
119
Claims claims = (Claims) jwt.getBody();
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
120
40
8
claims
6
120
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
120
50
9
get
1
120
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
120
24
10
user
4
120
String user = (String) claims.get("user");
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
121
36
11
user
4
121
if ("Guest".equals(user) || !validUsers.contains(user)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
121
35
12
equals
1
121
if ("Guest".equals(user) || !validUsers.contains(user)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
121
42
13
||
2
121
if ("Guest".equals(user) || !validUsers.contains(user)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
112
103
1
accessToken
11
112
public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
114
33
2
accessToken
11
114
if (StringUtils.isEmpty(accessToken)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
114
32
3
isEmpty
1
114
if (StringUtils.isEmpty(accessToken)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
136
125
1
accessToken
11
136
public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
137
33
2
accessToken
11
137
if (StringUtils.isEmpty(accessToken)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
137
32
3
isEmpty
1
137
if (StringUtils.isEmpty(accessToken)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
158
98
1
accessToken
11
158
public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
159
33
2
accessToken
11
159
if (StringUtils.isEmpty(accessToken)) {
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
159
32
3
isEmpty
1
159
if (StringUtils.isEmpty(accessToken)) {
webgoat-lessons/jwt/src/main/resources/html/JWT.html
8
22
1
load
1
8
$("#secrettoken").load('/WebGoat/JWT/secret/gettoken');
webgoat-lessons/crypto/src/main/resources/html/Crypto.html
10
19
1
load
1
10
$("#sha256token").load('/WebGoat/crypto/hashing/sha256');
webgoat-lessons/crypto/src/main/resources/html/Crypto.html
11
16
1
load
1
11
$("#md5token").load('/WebGoat/crypto/hashing/md5');
webgoat-lessons/crypto/src/main/resources/html/Crypto.html
12
22
1
load
1
12
$("#basicauthtoken").load('/WebGoat/crypto/encoding/basic');
webgoat-lessons/crypto/src/main/resources/html/Crypto.html
13
18
1
load
1
13
$("#privatekey").load('/WebGoat/crypto/signing/getprivate');
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
168
26
1
FileInputStream
3
168
InputStream is = new FileInputStream(f);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
168
21
2
is
2
168
InputStream is = new FileInputStream(f);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
170
9
3
is
2
170
is.close();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
170
17
4
close
1
170
is.close();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
183
26
1
FileInputStream
3
183
InputStream is = new FileInputStream(f);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
183
21
2
is
2
183
InputStream is = new FileInputStream(f);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
185
9
3
is
2
185
is.close();
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
185
17
4
close
1
185
is.close();
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
29
34
1
ObjectOutputStream
3
29
ObjectOutputStream oos = new ObjectOutputStream(baos);
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
29
28
2
oos
3
29
ObjectOutputStream oos = new ObjectOutputStream(baos);
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
30
9
3
oos
3
30
oos.writeObject(o);
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
31
9
4
oos
3
31
oos.close();
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
31
18
5
close
1
31
oos.close();
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
37
32
1
DataOutputStream
3
37
DataOutputStream dos = new DataOutputStream(baos);
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
37
26
2
dos
3
37
DataOutputStream dos = new DataOutputStream(baos);
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
38
9
3
dos
3
38
dos.writeLong(-8699352886133051976L);
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
39
9
4
dos
3
39
dos.close();
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
39
18
5
close
1
39
dos.close();
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
85
57
1
getResourceAsStream
1
85
var inputStream = getClass().getResourceAsStream("/images/account.png");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
85
13
2
inputStream
11
85
var inputStream = getClass().getResourceAsStream("/images/account.png");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
88
80
3
inputStream
11
88
.body(Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream)));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
31
1
read
1
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
41
2
!=
2
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
154
32
3
read
4
154
md5.update(buffer, read);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
350
43
4
length
6
350
public void update(byte buffer[], int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
351
27
5
length
6
351
update(buffer, 0, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
336
55
6
length
6
336
public void update(byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
337
46
7
length
6
337
update(workingState, buffer, offset, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
288
72
8
length
6
288
private void update(MD5State state, byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
27
9
length
6
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
14
10
bitCount
1
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
310
23
11
state
5
310
transform(state, decode(state.buffer, 64, 0));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
606
44
12
state
5
606
private static void transform(MD5State state, int[] x) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
22
13
state
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
13
14
a
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
613
16
15
a
1
613
a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
532
31
16
a
1
532
private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
14
17
a
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
22
18
|
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
11
19
AssignExpr
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
49
38
1
args
4
49
public static void main(String[] args) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
67
2
element
7
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
58
3
File
3
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
182
45
4
f
1
182
public static String getHashString(File f) throws IOException {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
184
37
5
is
2
184
String hash = getHashString(is);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
149
52
6
in
2
149
public static String getHashString(InputStream in) throws IOException {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
24
7
in
2
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
31
8
read
1
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
41
9
!=
2
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
154
32
10
read
4
154
md5.update(buffer, read);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
350
43
11
length
6
350
public void update(byte buffer[], int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
351
27
12
length
6
351
update(buffer, 0, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
336
55
13
length
6
336
public void update(byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
337
46
14
length
6
337
update(workingState, buffer, offset, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
288
72
15
length
6
288
private void update(MD5State state, byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
27
16
length
6
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
14
17
bitCount
1
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
310
23
18
state
5
310
transform(state, decode(state.buffer, 64, 0));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
606
44
19
state
5
606
private static void transform(MD5State state, int[] x) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
22
20
state
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
13
21
a
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
613
16
22
a
1
613
a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
532
31
23
a
1
532
private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
14
24
a
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
22
25
|
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
11
26
AssignExpr
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
135
31
1
read
1
135
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
135
41
2
!=
2
135
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
136
32
3
read
4
136
md5.update(buffer, read);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
350
43
4
length
6
350
public void update(byte buffer[], int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
351
27
5
length
6
351
update(buffer, 0, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
336
55
6
length
6
336
public void update(byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
337
46
7
length
6
337
update(workingState, buffer, offset, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
288
72
8
length
6
288
private void update(MD5State state, byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
27
9
length
6
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
14
10
bitCount
1
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
310
23
11
state
5
310
transform(state, decode(state.buffer, 64, 0));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
606
44
12
state
5
606
private static void transform(MD5State state, int[] x) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
22
13
state
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
13
14
a
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
613
16
15
a
1
613
a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
532
31
16
a
1
532
private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
14
17
a
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
22
18
|
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
11
19
AssignExpr
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
31
1
read
1
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
41
2
!=
2
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
154
32
3
read
4
154
md5.update(buffer, read);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
350
43
4
length
6
350
public void update(byte buffer[], int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
351
27
5
length
6
351
update(buffer, 0, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
336
55
6
length
6
336
public void update(byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
337
46
7
length
6
337
update(workingState, buffer, offset, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
288
72
8
length
6
288
private void update(MD5State state, byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
27
9
length
6
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
14
10
bitCount
1
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
310
23
11
state
5
310
transform(state, decode(state.buffer, 64, 0));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
606
44
12
state
5
606
private static void transform(MD5State state, int[] x) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
22
13
state
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
13
14
a
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
613
16
15
a
1
613
a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
532
31
16
a
1
532
private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
14
17
a
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
22
18
|
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
11
19
AssignExpr
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
49
38
1
args
4
49
public static void main(String[] args) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
67
2
element
7
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
55
58
3
File
3
55
System.out.println(MD5.getHashString(new File(element)) + " " + element);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
182
45
4
f
1
182
public static String getHashString(File f) throws IOException {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
184
37
5
is
2
184
String hash = getHashString(is);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
149
52
6
in
2
149
public static String getHashString(InputStream in) throws IOException {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
24
7
in
2
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
31
8
read
1
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
153
41
9
!=
2
153
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
154
32
10
read
4
154
md5.update(buffer, read);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
350
43
11
length
6
350
public void update(byte buffer[], int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
351
27
12
length
6
351
update(buffer, 0, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
336
55
13
length
6
336
public void update(byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
337
46
14
length
6
337
update(workingState, buffer, offset, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
288
72
15
length
6
288
private void update(MD5State state, byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
27
16
length
6
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
14
17
bitCount
1
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
310
23
18
state
5
310
transform(state, decode(state.buffer, 64, 0));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
606
44
19
state
5
606
private static void transform(MD5State state, int[] x) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
22
20
state
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
13
21
a
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
613
16
22
a
1
613
a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
532
31
23
a
1
532
private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
14
24
a
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
22
25
|
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
11
26
AssignExpr
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
135
31
1
read
1
135
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
135
41
2
!=
2
135
while ((read = in.read(buffer)) != -1) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
136
32
3
read
4
136
md5.update(buffer, read);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
350
43
4
length
6
350
public void update(byte buffer[], int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
351
27
5
length
6
351
update(buffer, 0, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
336
55
6
length
6
336
public void update(byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
337
46
7
length
6
337
update(workingState, buffer, offset, length);
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
288
72
8
length
6
288
private void update(MD5State state, byte buffer[], int offset, int length) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
27
9
length
6
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
303
14
10
bitCount
1
303
state.bitCount += length << 3;
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
310
23
11
state
5
310
transform(state, decode(state.buffer, 64, 0));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
606
44
12
state
5
606
private static void transform(MD5State state, int[] x) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
22
13
state
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
607
13
14
a
1
607
int a = state.state[0];
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
613
16
15
a
1
613
a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
532
31
16
a
1
532
private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
14
17
a
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
22
18
|
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
537
11
19
AssignExpr
1
537
a = (a << s) | (a >>> (32 - s));
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
57
52
1
""MD5""
5
57
MessageDigest md = MessageDigest.getInstance("MD5");
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
57
51
2
getInstance
1
57
MessageDigest md = MessageDigest.getInstance("MD5");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
67
37
1
shaHex
1
67
if (Sha512DigestUtils.shaHex(getWebSession().getUserName()).equalsIgnoreCase(secret)) {
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
62
95
1
shaHex
1
62
mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test")))
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
48
89
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
49
13
2
userId
6
49
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
52
62
3
userId
6
52
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
4
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
5
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
6
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
119
7
query
5
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
96
8
output
1
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
51
56
1
userid_6a
9
51
public AttackResult completed(@RequestParam String userid_6a) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
52
32
2
userid_6a
9
52
return injectableQuery(userid_6a);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
3
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
4
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
5
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
119
6
query
5
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
96
7
output
1
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
48
101
1
userId
6
48
public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
18
2
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
36
3
toUpperCase
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
46
4
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
66
5
replace
1
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
49
9
6
userId
6
49
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
50
13
7
userId
6
50
if (userId.contains(" ")) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
53
62
8
userId
6
53
AttackResult attackResult = lesson6a.injectableQuery(userId);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
56
48
9
accountName
11
56
public AttackResult injectableQuery(String accountName) {
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
69
10
accountName
11
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
60
13
11
query
5
60
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
119
12
query
5
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
89
96
13
output
1
89
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
45
116
1
text
4
45
public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
70
2
text
4
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
39
3
format
1
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
16
4
logLine
7
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
47
19
5
logLine
7
47
log.debug(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
47
18
6
debug
1
47
log.debug(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
45
66
1
userAgent
9
45
public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
59
2
userAgent
9
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
39
3
format
1
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
46
16
4
logLine
7
46
String logLine = String.format("%s %s %s", "GET", userAgent, text);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
47
19
5
logLine
7
47
log.debug(logLine);
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
47
18
6
debug
1
47
log.debug(logLine);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
66
84
1
modulus
7
66
public AttackResult completed(HttpServletRequest request, @RequestParam String modulus, @RequestParam String signature) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
75
37
2
modulus
7
75
log.warn("modulus {} incorrect", modulus);
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
75
12
3
warn
1
75
log.warn("modulus {} incorrect", modulus);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
99
32
1
cookie
6
99
response.addCookie(cookie);
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
104
32
1
cookie
6
104
response.addCookie(cookie);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
67
59
1
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
67
27
2
results
7
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
70
49
3
getString
1
70
password = results.getString("password");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
70
21
4
password
8
70
password = results.getString("password");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
67
59
1
executeQuery
1
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
67
27
2
results
7
67
ResultSet results = statement.executeQuery(query);
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
70
49
3
getString
1
70
password = results.getString("password");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
70
21
4
password
8
70
password = results.getString("password");
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
80
17
5
password
8
80
return (password);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
79
76
1
link
4
79
public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
83
31
2
link
4
83
form.setResetLink(link);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
83
30
3
setResetLink
1
83
form.setResetLink(link);
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
85
44
4
form
4
85
modelAndView.addObject("form", form);
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
85
52
1
fmt
3
85
review.setDateTime(DateTime.now().toString(fmt));
__MACOSX/webgoat-lessons/auth-bypass/src/main/resources/html/._AuthBypass.html
1
1
1
CxJSNS_425095432
0
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
26
50
1
file
4
26
protected AttackResult execute(MultipartFile file, String fullName) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
27
13
2
file
4
27
if (file.isEmpty()) {
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
43
32
3
file
4
43
FileCopyUtils.copy(file.getBytes(), uploadedFile);
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
43
45
4
getBytes
1
43
FileCopyUtils.copy(file.getBytes(), uploadedFile);
webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
73
9
1
<a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">
66
73
<a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a>
webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
73
9
1
<a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">
66
73
<a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a>
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
58
13
1
try
3
58
try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
57
51
1
getInstance
1
57
MessageDigest md = MessageDigest.getInstance("MD5");
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
57
63
1
""/ClientSideFiltering""
22
57
File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
57
32
2
File
3
57
File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
72
49
1
""ClientSideFiltering/employees.xml""
35
72
File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
72
18
2
File
3
72
File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
34
67
1
""/PathTraversal/""
17
34
var uploadDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
34
31
2
File
3
34
var uploadDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
67
75
1
""/PathTraversal/""
17
67
var profilePictureDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
67
39
2
File
3
67
var profilePictureDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
43
68
1
""/PathTraversal/""
17
43
this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
43
37
2
File
3
43
this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
43
88
1
""/cats""
7
43
this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats");
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
43
37
2
File
3
43
this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats");
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
65
63
1
""/XXE""
6
65
File targetDirectory = new File(webGoatHomeDirectory, "/XXE");
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
65
32
2
File
3
65
File targetDirectory = new File(webGoatHomeDirectory, "/XXE");
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
48
55
1
""/XXE/log""
10
48
File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt");
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
48
24
2
File
3
48
File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt");
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
79
58
1
""/XXE/secret.txt""
17
79
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
79
27
2
File
3
79
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
103
58
1
""/XXE/secret.txt""
17
103
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
103
27
2
File
3
103
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");