webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 43 1 ""id"" 4 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 42 2 getParameter 1 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 17 3 id 2 81 var id = request.getParameter("id"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 85 57 1 newUser 7 85 public WebGoatUser addUser(@RequestBody WebGoatUser newUser) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 87 33 2 newUser 7 87 userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 87 55 3 newUser 7 87 userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 87 77 4 newUser 7 87 userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 88 51 5 newUser 7 88 return userService.loadUserByUsername(newUser.getUsername()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 88 70 6 getUsername 1 88 return userService.loadUserByUsername(newUser.getUsername()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 88 50 7 loadUserByUsername 1 88 return userService.loadUserByUsername(newUser.getUsername()); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 59 56 1 userId 6 59 public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException { webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 71 61 2 userId 6 71 userSessionData.setValue("account-verified-id", userId); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 71 37 3 setValue 1 71 userSessionData.setValue("account-verified-id", userId); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 72 27 4 success 1 72 return success(this) webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 73 30 5 feedback 1 73 .feedback("verify-account.success") webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 74 27 6 build 1 74 .build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 51 52 1 username_login 14 51 public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 56 73 2 username_login 14 56 return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 56 72 3 feedbackArgs 1 56 return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 56 94 4 build 1 56 return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 59 68 1 email 5 59 public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 66 2 email 5 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 65 3 feedbackArgs 1 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 78 4 build 1 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 59 68 1 email 5 59 public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 66 2 email 5 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 65 3 feedbackArgs 1 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 78 4 build 1 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 45 84 1 field1 6 45 @RequestParam Integer QTY4, @RequestParam String field1, webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 57 2 field1 6 57 cart.append("<p>We have charged credit card:" + field1 + "<br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 20 3 append 1 57 cart.append("<p>We have charged credit card:" + field1 + "<br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 58 9 4 cart 4 58 cart.append(" ------------------- <br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 59 9 5 cart 4 59 cart.append(" $" + totalSale); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 90 6 cart 4 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 103 7 toString 1 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 89 8 output 1 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 112 9 build 1 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 45 84 1 field1 6 45 @RequestParam Integer QTY4, @RequestParam String field1, webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 57 2 field1 6 57 cart.append("<p>We have charged credit card:" + field1 + "<br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 20 3 append 1 57 cart.append("<p>We have charged credit card:" + field1 + "<br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 58 9 4 cart 4 58 cart.append(" ------------------- <br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 59 9 5 cart 4 59 cart.append(" $" + totalSale); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 88 6 cart 4 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 101 7 toString 1 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 87 8 output 1 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 110 9 build 1 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 45 84 1 field1 6 45 @RequestParam Integer QTY4, @RequestParam String field1, webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 57 2 field1 6 57 cart.append("<p>We have charged credit card:" + field1 + "<br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 20 3 append 1 57 cart.append("<p>We have charged credit card:" + field1 + "<br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 58 9 4 cart 4 58 cart.append(" ------------------- <br />"); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 59 9 5 cart 4 59 cart.append(" $" + totalSale); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 78 29 6 cart 4 78 .output(cart.toString()) webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 78 42 7 toString 1 78 .output(cart.toString()) webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 78 28 8 output 1 78 .output(cart.toString()) webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 79 27 9 build 1 79 .build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 80 62 1 commentStr 10 80 public AttackResult createNewComment(@RequestBody String commentStr) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 37 2 commentStr 10 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 97 38 3 comment 7 97 private Comment parseJson(String comment) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 37 4 comment 7 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 36 5 readValue 1 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 36 6 parseJson 1 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 17 7 comment 7 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 87 21 8 add 1 87 comments.add(comment); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 52 9 comments 8 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 25 10 put 1 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 93 27 11 failed 1 93 return (failed(this).feedback("xss-stored-comment-failure").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 93 42 12 feedback 1 93 return (failed(this).feedback("xss-stored-comment-failure").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 93 78 13 build 1 93 return (failed(this).feedback("xss-stored-comment-failure").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 80 62 1 commentStr 10 80 public AttackResult createNewComment(@RequestBody String commentStr) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 37 2 commentStr 10 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 97 38 3 comment 7 97 private Comment parseJson(String comment) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 37 4 comment 7 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 36 5 readValue 1 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 36 6 parseJson 1 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 17 7 comment 7 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 87 21 8 add 1 87 comments.add(comment); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 52 9 comments 8 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 25 10 put 1 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 91 28 11 success 1 91 return (success(this).feedback("xss-stored-comment-success").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 91 43 12 feedback 1 91 return (success(this).feedback("xss-stored-comment-success").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 91 79 13 build 1 91 return (success(this).feedback("xss-stored-comment-success").build()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 48 51 1 request 7 48 public String getBasicAuth(HttpServletRequest request) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 31 2 request 7 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 49 3 getSession 1 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 64 4 getAttribute 1 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 10 5 basicAuth 9 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 57 41 6 basicAuth 9 57 return "Authorization: Basic ".concat(basicAuth); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 57 40 7 concat 1 57 return "Authorization: Basic ".concat(basicAuth); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 50 45 1 request 7 50 public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 29 2 request 7 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 47 3 getSession 1 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 62 4 getAttribute 1 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 10 5 md5Hash 7 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 65 10 6 md5Hash 7 65 return md5Hash; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 70 48 1 request 7 70 public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 28 2 request 7 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 46 3 getSession 1 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 61 4 getAttribute 1 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 10 5 sha256 6 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 79 10 6 sha256 6 79 return sha256; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 52 52 1 request 7 52 public String getPrivateKey(HttpServletRequest request) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 32 2 request 7 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 50 3 getSession 1 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 65 4 getAttribute 1 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 10 5 privateKey 10 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 61 10 6 privateKey 10 61 return privateKey; webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 50 54 1 request 7 50 public AttackResult completed(HttpServletRequest request) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 27 2 request 7 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 51 3 getUserPrincipal 1 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 61 4 getName 1 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 16 5 userName 8 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 52 13 6 userName 8 52 if (userName.startsWith("csrf")) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 56 72 7 userName 8 56 return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 56 71 8 feedbackArgs 1 56 return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 56 87 9 build 1 56 return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 78 48 1 reviewText 10 78 public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 24 2 reviewText 10 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 23 3 setText 1 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 85 9 4 review 6 85 review.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 86 9 5 review 6 86 review.setUser(webSession.getUserName()); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 87 9 6 review 6 87 review.setStars(stars); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 21 7 review 6 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 20 8 add 1 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 51 9 reviews 7 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 24 10 put 1 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 97 26 11 failed 1 97 return failed(this).feedback("csrf-same-host").build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 97 41 12 feedback 1 97 return failed(this).feedback("csrf-same-host").build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 97 65 13 build 1 97 return failed(this).feedback("csrf-same-host").build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 78 48 1 reviewText 10 78 public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 24 2 reviewText 10 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 23 3 setText 1 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 85 9 4 review 6 85 review.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 86 9 5 review 6 86 review.setUser(webSession.getUserName()); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 87 9 6 review 6 87 review.setStars(stars); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 21 7 review 6 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 20 8 add 1 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 51 9 reviews 7 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 24 10 put 1 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 93 26 11 failed 1 93 return failed(this).feedback("csrf-you-forgot-something").build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 93 41 12 feedback 1 93 return failed(this).feedback("csrf-you-forgot-something").build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 93 76 13 build 1 93 return failed(this).feedback("csrf-you-forgot-something").build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 78 48 1 reviewText 10 78 public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 24 2 reviewText 10 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 23 3 setText 1 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 85 9 4 review 6 85 review.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 86 9 5 review 6 86 review.setUser(webSession.getUserName()); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 87 9 6 review 6 87 review.setStars(stars); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 21 7 review 6 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 20 8 add 1 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 51 9 reviews 7 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 24 10 put 1 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 99 27 11 success 1 99 return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure") webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 99 42 12 feedback 1 99 return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure") webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 99 71 13 build 1 99 return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure") webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 36 56 1 person 6 36 public AttackResult completed(@RequestParam String person) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 37 14 2 person 6 37 if (!person.equals("")) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 48 3 person 6 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 31 4 StringBuffer 3 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 63 5 reverse 1 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 74 6 toString 1 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 30 7 feedbackArgs 1 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 41 23 8 build 1 41 .build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 132 59 1 jwtToken 8 132 public String decode(@RequestParam("jwtToken") String jwtToken) throws NoSuchAlgorithmException { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 49 2 jwtToken 8 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 27 3 jwtToken 8 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 45 4 substring 1 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 11 5 encodedHeader 13 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 136 59 6 encodedHeader 13 136 String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 136 58 7 decodeToString 1 136 String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 136 11 8 jsonHeader 10 136 String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 32 9 jsonHeader 10 138 return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}"; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 50 10 replace 1 138 return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}"; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 175 11 BinaryExpr 1 138 return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}"; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 54 85 1 json 4 54 public ResponseEntity follow(@RequestBody(required = false) Map<String, Object> json) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 58 32 2 json 4 58 String user = (String) json.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 58 40 3 get 1 58 String user = (String) json.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 58 16 4 user 4 58 String user = (String) json.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 62 39 5 user 4 62 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 67 56 6 user 4 67 private Map<String, Object> createNewTokens(String user) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 28 7 user 4 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 19 8 put 1 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 28 9 claims 6 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 27 10 setClaims 1 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 74 26 11 signWith 1 74 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 75 25 12 compact 1 75 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 71 16 13 token 5 71 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 39 14 token 5 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 22 15 put 1 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 80 9 16 tokenJson 9 80 tokenJson.put("refresh_token", refreshToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 81 16 17 tokenJson 9 81 return tokenJson; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 62 38 18 createNewTokens 1 62 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 62 22 19 ok 1 62 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 86 115 1 token 5 86 public ResponseEntity<AttackResult> checkout(@RequestHeader(value = "Authorization", required = false) String token) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 71 2 token 5 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 84 3 replace 1 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 70 4 parse 1 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 17 5 jwt 3 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 38 6 jwt 3 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 49 7 getBody 1 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 20 8 claims 6 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 36 9 claims 6 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 46 10 get 1 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 20 11 user 4 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 81 12 user 4 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 80 13 feedbackArgs 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 92 14 build 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 22 15 ok 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 107 101 1 token 5 107 public ResponseEntity newToken(@RequestHeader(value = "Authorization", required = false) String token, webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 87 2 token 5 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 100 3 replace 1 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 86 4 parse 1 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 33 5 jwt 3 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 29 6 jwt 3 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 40 7 getBody 1 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 46 8 get 1 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 13 9 user 4 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 39 10 user 4 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 67 56 11 user 4 67 private Map<String, Object> createNewTokens(String user) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 28 12 user 4 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 19 13 put 1 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 28 14 claims 6 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 27 15 setClaims 1 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 74 26 16 signWith 1 74 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 75 25 17 compact 1 75 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 71 16 18 token 5 71 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 39 19 token 5 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 22 20 put 1 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 80 9 21 tokenJson 9 80 tokenJson.put("refresh_token", refreshToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 81 16 22 tokenJson 9 81 return tokenJson; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 38 23 createNewTokens 1 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 22 24 ok 1 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 72 52 1 token 5 72 public AttackResult login(@RequestParam String token) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 74 69 2 token 5 74 Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 74 68 3 parse 1 74 Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 74 17 4 jwt 3 74 Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 75 38 5 jwt 3 75 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 75 49 6 getBody 1 75 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 75 20 7 claims 6 75 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 76 18 8 claims 6 76 if (!claims.keySet().containsAll(expectedClaims)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 79 40 9 claims 6 79 String user = (String) claims.get("username"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 79 50 10 get 1 79 String user = (String) claims.get("username"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 79 24 11 user 4 79 String user = (String) claims.get("username"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 84 92 12 user 4 84 return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 84 91 13 feedbackArgs 1 84 return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 84 103 14 build 1 84 return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 55 73 1 json 4 55 public AttackResult passwordReset(@RequestParam Map<String, Object> json) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 56 44 2 json 4 56 String securityQuestion = (String) json.getOrDefault("securityQuestion", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 57 36 3 json 4 57 String username = (String) json.getOrDefault("username", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 57 53 4 getOrDefault 1 57 String username = (String) json.getOrDefault("username", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 57 16 5 username 8 57 String username = (String) json.getOrDefault("username", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 59 40 6 username 8 59 if ("webgoat".equalsIgnoreCase(username.toLowerCase())) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 41 7 username 8 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 65 90 8 username 8 65 return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 65 89 9 feedbackArgs 1 65 return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 65 105 10 build 1 65 return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 59 68 1 email 5 59 public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 75 66 2 email 5 75 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 75 65 3 feedbackArgs 1 75 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 75 78 4 build 1 75 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 69 56 1 question 8 69 public AttackResult completed(@RequestParam String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 33 2 question 8 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 37 29 3 question 8 37 public void incr(String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 31 4 question 8 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 30 5 add 1 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 13 6 triedQuestions 14 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 73 17 7 triedQuestions 14 73 if (triedQuestions.isComplete()) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 74 31 8 success 1 74 return success(this).output("<b>" + answer + "</b>").build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 74 44 9 output 1 74 return success(this).output("<b>" + answer + "</b>").build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 74 75 10 build 1 74 return success(this).output("<b>" + answer + "</b>").build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 69 56 1 question 8 69 public AttackResult completed(@RequestParam String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 33 2 question 8 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 37 29 3 question 8 37 public void incr(String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 31 4 question 8 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 30 5 add 1 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 13 6 triedQuestions 14 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 73 17 7 triedQuestions 14 73 if (triedQuestions.isComplete()) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 77 34 8 informationMessage 1 77 return informationMessage(this) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 78 26 9 feedback 1 78 .feedback("password-questions-one-successful") webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 79 24 10 output 1 79 .output(answer.orElse("Unknown question, please try again...")) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 80 23 11 build 1 80 .build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 71 60 1 emailReset 10 71 public AttackResult resetPassword(@RequestParam String emailReset) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 35 2 emailReset 10 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 34 3 ofNullable 1 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 53 4 orElse 1 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 16 5 email 5 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 73 50 6 email 5 73 return sendEmail(extractUsername(email), email); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 81 60 7 email 5 81 private AttackResult sendEmail(String username, String email) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 95 103 8 email 5 95 return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 95 102 9 feedbackArgs 1 95 return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 95 115 10 build 1 95 return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 73 25 11 sendEmail 1 73 return sendEmail(extractUsername(email), email); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 75 67 1 request 7 75 public ResponseEntity<?> getProfilePicture(HttpServletRequest request) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 27 2 request 7 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 49 3 getQueryString 1 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 13 4 queryParams 11 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 75 67 1 request 7 75 public ResponseEntity<?> getProfilePicture(HttpServletRequest request) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 27 2 request 7 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 22 3 request 7 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 42 4 getParameter 1 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 17 5 id 2 81 var id = request.getParameter("id"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 2 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 3 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 4 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 5 strength 8 49 output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 6 strength 8 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 7 getScore 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 8 append 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 9 output 6 52 output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 10 output 6 58 output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 11 output 6 68 output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 12 output 6 69 output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 76 13 output 6 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 91 14 toString 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 75 15 output 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 100 16 build 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 2 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 3 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 4 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 5 strength 8 49 output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 6 strength 8 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 7 getScore 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 8 append 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 9 output 6 52 output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 10 output 6 58 output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 11 output 6 68 output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 12 output 6 69 output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 74 13 output 6 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 89 14 toString 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 73 15 output 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 98 16 build 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56 public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 88 2 username_reg 12 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 87 3 feedbackArgs 1 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 107 4 build 1 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 21 5 attackResult 12 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 85 16 6 attackResult 12 85 return attackResult; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 51 56 1 userid_6a 9 51 public AttackResult completed(@RequestParam String userid_6a) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 32 2 userid_6a 9 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 3 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 4 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 153 6 query 5 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 130 7 output 1 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 165 8 build 1 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 31 9 injectableQuery 1 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 55 56 1 query 5 55 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 32 2 query 5 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 59 51 3 query 5 59 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 68 68 4 query 5 68 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 68 30 5 append 1 68 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 17 6 output 6 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 81 7 output 6 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 96 8 toString 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 80 9 output 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 105 10 build 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 31 11 injectableQuery 1 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 56 56 1 query 5 56 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 32 2 query 5 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 60 51 3 query 5 60 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 71 72 4 query 5 71 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 71 34 5 append 1 71 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 21 6 output 6 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 49 7 output 6 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 64 8 toString 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 48 9 output 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 73 10 build 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 31 11 injectableQuery 1 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 52 56 1 query 5 52 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 53 32 2 query 5 53 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 56 51 3 query 5 56 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 65 72 4 query 5 65 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 65 34 5 append 1 65 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 49 6 output 6 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 64 7 toString 1 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 48 8 output 1 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 73 9 build 1 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 53 31 10 injectableQuery 1 53 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 40 42 1 query 5 40 public AttackResult completed(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 41 32 2 query 5 41 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 44 51 3 query 5 44 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 50 17 4 query 5 50 if (query.matches(regex)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 51 68 5 query 5 51 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 51 30 6 append 1 51 output.append("<span class='feedback-positive'>" + query + "</span>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 45 7 output 6 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 60 8 toString 1 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 44 9 output 1 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 69 10 build 1 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 41 31 11 injectableQuery 1 41 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 56 1 account 7 53 public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 32 2 account 7 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 98 6 query 5 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 51 7 output 1 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 110 8 build 1 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 31 9 injectableQuery 1 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 86 1 operator 8 53 public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 48 2 operator 8 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 98 6 query 5 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 51 7 output 1 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 110 8 build 1 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 31 9 injectableQuery 1 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 117 1 injection 9 53 public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 65 2 injection 9 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 98 6 query 5 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 51 7 output 1 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 110 8 build 1 75 return failed(this).output(output.toString() + "<br> Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 31 9 injectableQuery 1 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 56 1 userid 6 51 public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 45 2 userid 6 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 55 71 3 accountName 11 55 protected AttackResult injectableQuery(String login_count, String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 56 93 4 accountName 11 56 String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 56 16 5 queryString 11 56 String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 53 6 queryString 11 65 + "<br> Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 72 7 replace 1 65 + "<br> Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 64 43 8 output 1 64 return failed(this).output("Could not parse: " + login_count + " to a number" webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 97 9 build 1 65 + "<br> Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 10 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 85 1 login_count 11 51 public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 32 2 login_count 11 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 55 51 3 login_count 11 55 protected AttackResult injectableQuery(String login_count, String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 78 4 login_count 11 65 + "<br> Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 72 5 replace 1 65 + "<br> Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 64 43 6 output 1 64 return failed(this).output("Could not parse: " + login_count + " to a number" webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 97 7 build 1 65 + "<br> Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 8 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 45 56 1 url 3 45 public AttackResult completed(@RequestParam String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 46 24 2 url 3 46 return furBall(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 49 43 3 url 3 49 protected AttackResult furBall(String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 53 17 4 url 3 53 if (url.matches("http://ifconfig.pro")) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 33 5 url 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 25 6 URL 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 21 7 u 1 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 47 8 u 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 63 9 openConnection 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 31 10 urlConnection 13 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 78 11 urlConnection 13 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 106 12 getInputStream 1 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 56 13 InputStreamReader 3 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 37 14 BufferedReader 3 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 32 15 in 2 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 59 37 16 in 2 59 while ((inputLine = in.readLine()) != null) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 59 48 17 readLine 1 59 while ((inputLine = in.readLine()) != null) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 59 52 18 != 2 59 while ((inputLine = in.readLine()) != null) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 60 33 19 inputLine 9 60 html.append(inputLine); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 60 32 20 append 1 60 html.append(inputLine); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 66 33 21 html 4 66 .output(html.toString()) webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 66 46 22 toString 1 66 .output(html.toString()) webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 66 32 23 output 1 66 .output(html.toString()) webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 67 31 24 build 1 67 .build(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 46 23 25 furBall 1 46 return furBall(url); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 42 49 1 payload 7 42 AttackResult completed(@RequestParam String payload) { webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 2 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 3 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 13 4 contact 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 83 5 feedbackArgs 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 98 6 build 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 53 56 1 email 5 53 public AttackResult sendEmail(@RequestParam String email) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 46 2 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 27 3 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 67 89 4 email 5 67 return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 67 88 5 feedbackArgs 1 67 return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 67 101 6 build 1 67 return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 53 56 1 email 5 53 public AttackResult sendEmail(@RequestParam String email) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 46 2 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 27 3 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 42 4 substring 1 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 16 5 username 8 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 55 13 6 username 8 55 if (username.equalsIgnoreCase(getWebSession().getUserName())) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 69 93 7 username 8 69 return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 69 92 8 feedbackArgs 1 69 return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 69 108 9 build 1 69 return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 75 56 1 uniqueCode 10 75 public AttackResult completed(@RequestParam String uniqueCode) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 76 13 2 uniqueCode 10 76 if (uniqueCode.equals(StringUtils.reverse(getWebSession().getUserName()))) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 79 85 3 uniqueCode 10 79 return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 79 84 4 feedbackArgs 1 79 return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 79 102 5 build 1 79 return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 78 56 1 commentStr 10 78 public AttackResult addComment(@RequestBody String commentStr) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 80 13 2 commentStr 10 80 if (commentStr.contains(CONTENTS)) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 49 3 commentStr 10 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 4 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 5 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 6 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 7 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 8 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 9 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 48 10 parseXml 1 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 21 11 comment 7 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 33 12 comment 7 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 13 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 15 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 17 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 18 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 32 19 addComment 1 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 90 22 20 failed 1 90 return failed(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 90 34 21 build 1 90 return failed(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 78 56 1 commentStr 10 78 public AttackResult addComment(@RequestBody String commentStr) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 80 13 2 commentStr 10 80 if (commentStr.contains(CONTENTS)) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 49 3 commentStr 10 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 4 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 5 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 6 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 7 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 8 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 9 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 48 10 parseXml 1 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 21 11 comment 7 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 33 12 comment 7 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 13 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 15 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 17 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 18 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 32 19 addComment 1 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 26 20 failed 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 39 21 output 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 59 22 build 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 53 59 1 commentStr 10 53 public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 64 53 2 commentStr 10 64 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 3 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 4 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 5 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 6 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 7 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 8 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 64 52 9 parseXml 1 64 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 64 25 10 comment 7 64 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 65 37 11 comment 7 65 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 12 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 13 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 15 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 17 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 65 36 18 addComment 1 65 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 67 43 19 success 1 67 attackResult = success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 67 55 20 build 1 67 attackResult = success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 67 21 21 attackResult 12 67 attackResult = success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 75 16 22 attackResult 12 75 return attackResult; webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 66 62 1 commentStr 10 66 public AttackResult createNewComment(@RequestBody String commentStr) throws Exception { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 49 2 commentStr 10 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 3 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 4 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 5 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 6 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 7 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 8 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 48 9 parseXml 1 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 21 10 comment 7 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 33 11 comment 7 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 12 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 13 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 15 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 17 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 13 18 comments 8 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 72 31 19 success 1 72 return success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 72 43 20 build 1 72 return success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 66 62 1 commentStr 10 66 public AttackResult createNewComment(@RequestBody String commentStr) throws Exception { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 49 2 commentStr 10 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 3 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 4 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 5 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 6 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 7 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 8 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 48 9 parseXml 1 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 21 10 comment 7 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 33 11 comment 7 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 12 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 13 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 15 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 17 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 13 18 comments 8 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 22 19 failed 1 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 35 20 output 1 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 48 21 build 1 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 66 1 userAgent 9 45 public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 59 2 userAgent 9 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 28 5 logLine 7 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 6 println 1 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 116 1 text 4 45 public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 70 2 text 4 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 28 5 logLine 7 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 6 println 1 51 pw.println(logLine); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56 public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 101 2 username_reg 12 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 24 3 checkUserQuery 14 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 62 4 checkUserQuery 14 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 61 5 executeQuery 1 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 51 56 1 userid_6a 9 51 public AttackResult completed(@RequestParam String userid_6a) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 32 2 userid_6a 9 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 3 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 4 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 6 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 7 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 48 89 1 userId 6 48 public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 49 13 2 userId 6 49 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 52 62 3 userId 6 52 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 4 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 5 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 6 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 7 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 8 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 48 101 1 userId 6 48 public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 18 2 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 3 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 4 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 5 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 6 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 7 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 8 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 9 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 10 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 11 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 12 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 13 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 52 56 1 action_string 13 52 public AttackResult completed(@RequestParam String action_string) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 53 44 2 action_string 13 53 return injectableQueryAvailability(action_string); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 56 63 3 action 6 56 protected AttackResult injectableQueryAvailability(String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 74 4 action 6 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 16 5 query 5 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 60 6 query 5 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 7 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 55 56 1 query 5 55 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 32 2 query 5 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 59 51 3 query 5 59 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 56 4 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 55 5 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 56 56 1 query 5 56 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 32 2 query 5 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 60 51 3 query 5 60 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 65 41 4 query 5 65 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 65 40 5 executeUpdate 1 65 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 52 56 1 query 5 52 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 53 32 2 query 5 53 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 56 51 3 query 5 56 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 59 41 4 query 5 59 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 59 40 5 executeUpdate 1 59 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 56 1 account 7 53 public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 32 2 account 7 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 86 1 operator 8 53 public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 48 2 operator 8 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 117 1 injection 9 53 public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 65 2 injection 9 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 56 1 name 4 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 47 2 name 4 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 66 3 name 4 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 72 4 name 4 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 60 6 query 5 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 7 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 56 1 name 4 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 47 2 name 4 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 66 3 name 4 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 72 4 name 4 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 83 1 auth_tan 8 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 53 2 auth_tan 8 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 79 3 auth_tan 8 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 102 4 auth_tan 8 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 60 6 query 5 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 7 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 83 1 auth_tan 8 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 53 2 auth_tan 8 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 79 3 auth_tan 8 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 102 4 auth_tan 8 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 56 1 name 4 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 41 2 name 4 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 60 3 name 4 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 72 4 name 4 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 56 1 name 4 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 41 2 name 4 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 60 3 name 4 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 72 4 name 4 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 60 6 query 5 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 7 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 83 1 auth_tan 8 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 47 2 auth_tan 8 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 73 3 auth_tan 8 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 102 4 auth_tan 8 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 83 1 auth_tan 8 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 47 2 auth_tan 8 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 73 3 auth_tan 8 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 102 4 auth_tan 8 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 60 6 query 5 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 7 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 51 52 1 username_login 14 51 public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 129 2 username_login 14 59 PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 70 3 prepareStatement 1 59 PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 31 4 statement 9 59 PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 35 5 statement 9 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 57 6 executeQuery 1 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 51 89 1 password_login 14 51 public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 169 2 password_login 14 59 PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 70 3 prepareStatement 1 59 PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 31 4 statement 9 59 PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 35 5 statement 9 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 57 6 executeQuery 1 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 56 1 userid 6 51 public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 45 2 userid 6 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 55 71 3 accountName 11 55 protected AttackResult injectableQuery(String login_count, String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 56 93 4 accountName 11 56 String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 56 16 5 queryString 11 56 String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 58 67 6 queryString 11 58 PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 58 66 7 prepareStatement 1 58 PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 58 31 8 query 5 58 PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 68 13 9 query 5 68 query.setInt(1, count); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 37 10 query 5 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 55 11 executeQuery 1 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 69 51 1 column 6 69 public List<Server> sort(@RequestParam String column) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 189 2 column 6 73 PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 79 3 prepareStatement 1 73 PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 198 4 preparedStatement 1 73 PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 28 5 preparedStatement 17 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 58 6 executeQuery 1 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 56 59 1 executeQuery 1 56 ResultSet results = statement.executeQuery(query); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 56 27 2 results 7 56 ResultSet results = statement.executeQuery(query); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 60 40 3 next 1 60 while (results.next()) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 62 63 4 getString 1 62 userMap.put("first", results.getString(1)); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 66 64 5 getString 1 66 userMap.put("cookie", results.getString(5)); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 66 36 6 put 1 66 userMap.put("cookie", results.getString(5)); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 67 25 7 userMap 7 67 userMap.put("loginCount", Integer.toString(results.getInt(6))); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 68 60 8 userMap 7 68 allUsersMap.put(results.getInt(0), userMap); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 68 40 9 put 1 68 allUsersMap.put(results.getInt(0), userMap); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 71 28 10 allUsersMap 11 71 return allUsersMap; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 27 2 results 7 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 67 3 results 7 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 4 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 5 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 6 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 7 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 8 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 9 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 10 t 1 110 t.append("<br />"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 11 t 1 117 t.append("</p>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 12 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 13 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 66 14 writeTable 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 34 15 append 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 63 16 output 6 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 25 17 output 6 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 83 25 18 output 6 83 output.append(appendingWhenSucceded); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 105 19 output 6 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 120 20 toString 1 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 104 21 feedbackArgs 1 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 130 22 output 1 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 165 23 build 1 84 return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 31 24 injectableQuery 1 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 1 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 27 2 results 7 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 67 69 3 results 7 67 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 67 68 13 generateTable 1 67 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 67 34 14 append 1 67 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 85 15 output 6 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 100 16 toString 1 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 84 17 output 1 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 109 18 build 1 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 53 43 19 injectableQueryAvailability 1 53 return injectableQueryAvailability(action_string); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 55 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 23 2 results 7 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 65 3 results 7 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 64 13 generateTable 1 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 30 14 append 1 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 81 15 output 6 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 96 16 toString 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 80 17 output 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 105 18 build 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 31 19 injectableQuery 1 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 66 64 1 executeQuery 1 66 ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 66 27 2 results 7 66 ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 69 3 results 7 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 68 13 generateTable 1 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 34 14 append 1 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 49 15 output 6 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 64 16 toString 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 48 17 output 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 73 18 build 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 31 19 injectableQuery 1 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 27 2 results 7 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 68 46 3 results 7 68 output.append(writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 4 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 5 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 6 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 7 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 8 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 9 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 10 t 1 110 t.append("<br />"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 11 t 1 117 t.append("</p>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 12 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 13 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 68 45 14 writeTable 1 68 output.append(writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 68 34 15 append 1 68 output.append(writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 145 16 output 6 73 return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 160 17 toString 1 73 return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 144 18 feedbackArgs 1 73 return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 169 19 build 1 73 return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 31 20 injectableQuery 1 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 1 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 27 2 results 7 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 69 53 3 results 7 69 output.append(generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 69 52 13 generateTable 1 69 output.append(generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 69 38 14 append 1 69 output.append(generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 93 15 output 6 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 108 16 toString 1 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 92 17 output 1 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 117 18 build 1 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 46 19 injectableQueryConfidentiality 1 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 1 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 27 2 results 7 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 70 73 3 results 7 70 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 70 72 13 generateTable 1 70 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 70 38 14 append 1 70 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 81 51 15 output 6 81 return checkSalaryRanking(connection, output); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 89 81 16 output 6 89 private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 80 17 output 6 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 95 18 toString 1 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 79 19 output 1 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 104 20 build 1 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 81 38 21 checkSalaryRanking 1 81 return checkSalaryRanking(connection, output); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 40 22 injectableQueryIntegrity 1 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 94 59 1 executeQuery 1 94 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 94 27 2 results 7 94 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 99 69 3 results 7 99 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 99 68 13 generateTable 1 99 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 99 34 14 append 1 99 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 85 15 output 6 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 100 16 toString 1 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 84 17 output 1 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 109 18 build 1 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 81 38 19 checkSalaryRanking 1 81 return checkSalaryRanking(connection, output); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 40 20 injectableQueryIntegrity 1 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 55 1 executeQuery 1 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 27 2 results 7 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 77 67 3 results 7 77 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 4 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 5 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 6 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 7 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 8 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 9 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 10 t 1 110 t.append("<br />"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 11 t 1 117 t.append("</p>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 12 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 13 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 77 66 14 writeTable 1 77 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 77 34 15 append 1 77 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 163 16 output 6 82 return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 178 17 toString 1 82 return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 162 18 feedbackArgs 1 82 return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 187 19 build 1 82 return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 20 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 103 1 listFiles 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 66 2 arrayToCommaDelimitedString 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 115 3 getBytes 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 26 4 body 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 46 56 1 token 5 46 public AttackResult completed(@RequestParam String token) throws IOException { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 20 2 token 5 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 33 3 replace 1 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 51 4 replace 1 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 9 5 b64token 8 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 112 6 b64token 8 54 try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 111 7 decode 1 54 try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 60 8 ByteArrayInputStream 3 54 try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 38 9 ObjectInputStream 3 54 try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 56 38 10 readObject 1 56 Object o = ois.readObject(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 42 49 1 payload 7 42 AttackResult completed(@RequestParam String payload) { webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 2 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 3 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 59 1 ""\r"" 4 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 3 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 4 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 5 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 6 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 7 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 41 1 ""\n"" 4 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 3 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 5 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 6 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 7 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 8 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 41 1 ""-----END PRIVATE KEY-----"" 27 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 2 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 3 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 5 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 6 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 8 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 9 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 10 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 11 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 41 1 ""-----BEGIN PRIVATE KEY-----"" 29 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 40 2 replace 1 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 3 3 privateKeyPem 13 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 19 4 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 5 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 6 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 8 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 9 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 10 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 11 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 12 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 13 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 14 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 72 1 """" 2 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 40 2 replace 1 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 3 3 privateKeyPem 13 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 19 4 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 5 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 6 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 8 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 9 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 10 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 11 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 12 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 13 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 14 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 70 1 """" 2 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 2 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 3 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 5 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 6 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 8 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 9 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 10 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 11 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 47 1 """" 2 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 3 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 5 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 6 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 7 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 8 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 65 1 """" 2 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 3 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 4 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 5 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 6 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 7 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java 88 23 1 ""secret"" 8 88 String jsonSecret = "secret"; webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java 88 10 2 jsonSecret 10 88 String jsonSecret = "secret"; webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java 89 70 3 jsonSecret 10 89 String jwtToken = jwtFinalEndpoint.encode(jsonHeader, jsonPayload, jsonSecret).replace(":", "") webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 92 42 4 jsonSecret 10 92 @RequestParam("jsonSecret") String jsonSecret) throws NoSuchAlgorithmException { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 105 110 5 jsonSecret 10 105 encodedSignature = TextCodec.BASE64URL.encode(getJWTSignature(jsonHeader, encodedHeader, encodedPayload, jsonSecret)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 117 107 6 jsonSecret 10 117 private byte[] getJWTSignature(String jsonHeader, String encodedHeader, String encodedPayload, String jsonSecret) throws NoSuchAlgorithmException, InvalidKeyException { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 124 78 7 jsonSecret 10 124 SecretKeySpec secret_key = new SecretKeySpec(TextCodec.BASE64.decode(jsonSecret), algorithm); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 124 77 8 decode 1 124 SecretKeySpec secret_key = new SecretKeySpec(TextCodec.BASE64.decode(jsonSecret), algorithm); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 25 35 1 nextInt 1 25 int j = random.nextInt(a.length); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 53 68 1 nextInt 1 53 String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 55 48 1 nextInt 1 55 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 74 48 1 nextInt 1 74 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 63 76 1 nextInt 1 63 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 69 76 1 nextInt 1 69 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 80 72 1 nextInt 1 80 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 51 97 1 nextInt 1 51 public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 25 35 1 nextInt 1 25 int j = random.nextInt(a.length); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 53 68 1 nextInt 1 53 String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 55 48 1 nextInt 1 55 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 74 48 1 nextInt 1 74 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 63 76 1 nextInt 1 63 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 69 76 1 nextInt 1 69 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 80 72 1 nextInt 1 80 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 51 97 1 nextInt 1 51 public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56 public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 75 52 2 username_reg 12 75 preparedStatement.setString(1, username_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 75 48 3 setString 1 75 preparedStatement.setString(1, username_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 76 21 4 preparedStatement 17 76 preparedStatement.setString(2, email_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 21 5 preparedStatement 17 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 21 6 preparedStatement 17 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 7 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 97 1 email_reg 9 56 public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 76 52 2 email_reg 9 76 preparedStatement.setString(2, email_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 76 48 3 setString 1 76 preparedStatement.setString(2, email_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 21 4 preparedStatement 17 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 21 5 preparedStatement 17 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 6 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 129 1 password_reg 12 56 public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 52 2 password_reg 12 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 48 3 setString 1 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 21 4 preparedStatement 17 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 5 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 56 1 name 4 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 47 2 name 4 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 66 3 name 4 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 72 4 name 4 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 83 1 auth_tan 8 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 53 2 auth_tan 8 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 79 3 auth_tan 8 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 102 4 auth_tan 8 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 56 1 name 4 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 41 2 name 4 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 60 3 name 4 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 72 4 name 4 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 83 1 auth_tan 8 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 47 2 auth_tan 8 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 73 3 auth_tan 8 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 102 4 auth_tan 8 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 53 11 1 password 8 53 String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 59 16 1 password 8 59 String password = (String) json.get("password"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 68 20 1 passwordTom 11 68 String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 61 16 1 password 8 61 String password = "dave"; webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java 31 20 1 password 8 31 private String password = ""; webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 51 32 1 usersToTomPassword 18 51 static Map<String, String> usersToTomPassword = Maps.newHashMap(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 49 38 1 args 4 49 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 85 2 element 7 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 39 3 println 1 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 33 38 1 args 4 33 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 38 27 2 args 4 38 String username = args[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 38 16 3 username 8 38 String username = args[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 40 68 4 username 8 40 System.out.println("Generation password reset link for " + username); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 40 27 5 println 1 40 System.out.println("Generation password reset link for " + username); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 116 1 text 4 45 public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 70 2 text 4 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 28 5 logLine 7 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 6 println 1 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 66 1 userAgent 9 45 public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 59 2 userAgent 9 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 28 5 logLine 7 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 6 println 1 51 pw.println(logLine); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 43 2 password 8 48 output.append("<b>Length: </b>" + password.length() + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 58 3 length 1 48 output.append("<b>Length: </b>" + password.length() + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 22 4 append 1 48 output.append("<b>Length: </b>" + password.length() + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 9 5 output 6 49 output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 9 6 output 6 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 7 output 6 52 output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 8 output 6 58 output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 9 output 6 68 output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 10 output 6 69 output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 76 11 output 6 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 91 12 toString 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 75 13 output 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 100 14 build 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 1 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 2 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 3 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 4 strength 8 49 output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 5 strength 8 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 6 getScore 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 7 append 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 8 output 6 52 output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 9 output 6 58 output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 10 output 6 68 output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 11 output 6 69 output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 76 12 output 6 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 91 13 toString 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 75 14 output 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 100 15 build 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 43 2 password 8 48 output.append("<b>Length: </b>" + password.length() + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 58 3 length 1 48 output.append("<b>Length: </b>" + password.length() + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 22 4 append 1 48 output.append("<b>Length: </b>" + password.length() + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 9 5 output 6 49 output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 9 6 output 6 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 7 output 6 52 output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 8 output 6 58 output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 9 output 6 68 output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 10 output 6 69 output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 74 11 output 6 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 89 12 toString 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 73 13 output 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 98 14 build 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 1 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 2 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 3 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 4 strength 8 49 output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 5 strength 8 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 6 getScore 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 7 append 1 50 output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 8 output 6 52 output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 9 output 6 58 output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 10 output 6 68 output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 11 output 6 69 output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 74 12 output 6 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 89 13 toString 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 73 14 output 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 98 15 build 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 39 63 1 text 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 39 34 2 replace 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 39 17 3 comment 7 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 40 27 4 comment 7 40 comment = comment.replace('STARS', result[i].stars) webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 40 34 5 replace 1 40 comment = comment.replace('STARS', result[i].stars) webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 40 17 6 comment 7 40 comment = comment.replace('STARS', result[i].stars) webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 41 35 7 comment 7 41 $("#list").append(comment); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 41 27 8 append 1 41 $("#list").append(comment); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 39 63 1 text 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 39 34 2 replace 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 39 17 3 comment 7 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 40 35 4 comment 7 40 $("#list").append(comment); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 40 27 5 append 1 40 $("#list").append(comment); webgoat-lessons/xxe/src/main/resources/js/xxe.js 77 59 1 text 1 77 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/xxe/src/main/resources/js/xxe.js 77 30 2 replace 1 77 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/xxe/src/main/resources/js/xxe.js 77 13 3 comment 7 77 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/xxe/src/main/resources/js/xxe.js 78 29 4 comment 7 78 $(field).append(comment); webgoat-lessons/xxe/src/main/resources/js/xxe.js 78 21 5 append 1 78 $(field).append(comment); webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java 62 61 1 ""secret"" 8 62 mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test"))) webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java 62 60 2 param 1 62 mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test"))) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 58 17 1 secret 6 58 md.update(secret.getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 58 32 2 getBytes 1 58 md.update(secret.getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 66 90 1 secret 6 66 public AttackResult execute(@RequestParam(value = "secret", required = false) String secret) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 67 86 2 secret 6 67 if (Sha512DigestUtils.shaHex(getWebSession().getUserName()).equalsIgnoreCase(secret)) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 45 56 1 url 3 45 public AttackResult completed(@RequestParam String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 46 24 2 url 3 46 return furBall(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 49 43 3 url 3 49 protected AttackResult furBall(String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 53 17 4 url 3 53 if (url.matches("http://ifconfig.pro")) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 33 5 url 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 25 6 URL 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 21 7 u 1 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 47 8 u 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 63 9 openConnection 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 75 67 1 request 7 75 public ResponseEntity<?> getProfilePicture(HttpServletRequest request) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 27 2 request 7 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 49 3 getQueryString 1 76 var queryParams = request.getQueryString(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 89 52 1 user 4 89 public void login(@RequestParam("user") String user, HttpServletResponse response) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 32 2 user 4 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 23 3 put 1 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 32 4 claims 6 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 31 5 setClaims 1 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 6 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 7 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 8 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 9 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 29 10 Cookie 3 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 20 11 cookie 6 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 32 12 cookie 6 99 response.addCookie(cookie); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 31 13 addCookie 1 99 response.addCookie(cookie); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 100 13 14 response 8 100 response.setStatus(HttpStatus.OK.value()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 101 13 15 response 8 101 response.setContentType(MediaType.APPLICATION_JSON_VALUE); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 101 36 16 setContentType 1 101 response.setContentType(MediaType.APPLICATION_JSON_VALUE); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 89 52 1 user 4 89 public void login(@RequestParam("user") String user, HttpServletResponse response) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 32 2 user 4 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 23 3 put 1 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 32 4 claims 6 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 31 5 setClaims 1 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 6 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 7 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 8 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 9 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 29 10 Cookie 3 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 20 11 cookie 6 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 32 12 cookie 6 99 response.addCookie(cookie); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 31 13 addCookie 1 99 response.addCookie(cookie); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56 public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 101 2 username_reg 12 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 24 3 checkUserQuery 14 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 62 4 checkUserQuery 14 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 61 5 executeQuery 1 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 52 56 1 action_string 13 52 public AttackResult completed(@RequestParam String action_string) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 53 44 2 action_string 13 53 return injectableQueryAvailability(action_string); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 56 63 3 action 6 56 protected AttackResult injectableQueryAvailability(String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 74 4 action 6 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 16 5 query 5 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 60 6 query 5 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 7 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 48 51 1 request 7 48 public String getBasicAuth(HttpServletRequest request) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 31 2 request 7 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 21 3 request 7 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 45 4 getUserPrincipal 1 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 55 5 getName 1 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 10 6 username 8 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 54 29 7 username 8 54 basicAuth = getBasicAuth(username, password); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 42 43 8 username 8 42 public static String getBasicAuth(String username, String password) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 48 9 username 8 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 63 10 concat 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 75 11 concat 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 94 12 getBytes 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 47 13 encodeToString 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 54 28 14 getBasicAuth 1 54 basicAuth = getBasicAuth(username, password); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 54 4 15 basicAuth 9 54 basicAuth = getBasicAuth(username, password); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 55 51 16 basicAuth 9 55 request.getSession().setAttribute("basicAuth", basicAuth); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 79 76 1 link 4 79 public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 83 31 2 link 4 83 form.setResetLink(link); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 83 30 3 setResetLink 1 83 form.setResetLink(link); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 84 40 4 form 4 84 model.addAttribute("form", form); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 49 38 1 args 4 49 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 67 2 element 7 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 58 3 File 3 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 73 1 JWT_PASSWORD 12 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 2 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 3 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 4 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 5 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 29 6 Cookie 3 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 20 7 cookie 6 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 32 8 cookie 6 99 response.addCookie(cookie); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 41 94 1 secretText 10 41 public AttackResult completed(@RequestParam String secretFileName, @RequestParam String secretText) throws NoSuchAlgorithmException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 43 60 2 secretText 10 43 if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 103 41 3 secret 6 103 public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 105 16 4 secret 6 105 md.update(secret.getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 105 31 5 getBytes 1 105 md.update(secret.getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 105 15 6 update 1 105 md.update(secret.getBytes()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 54 1 ""SHA-256"" 9 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 53 2 getInstance 1 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 23 3 md 2 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 23 4 md 2 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 32 5 digest 1 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 54 1 ""SHA-256"" 9 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 53 2 getInstance 1 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 23 3 md 2 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 23 4 md 2 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 32 5 digest 1 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 56 59 1 executeQuery 1 56 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 61 1 executeQuery 1 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 1 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 92 50 1 executeQuery 1 92 ResultSet results = stmt.executeQuery("SELECT * FROM access_log"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 55 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 65 40 1 executeUpdate 1 65 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 66 64 1 executeQuery 1 66 ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 59 40 1 executeUpdate 1 59 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 61 59 1 executeQuery 1 61 ResultSet results = statement.executeQuery("SELECT phone from employees;"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 1 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 1 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 1 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 94 59 1 executeQuery 1 94 ResultSet results = statement.executeQuery(query); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 57 1 executeQuery 1 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 1 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java 54 57 1 executeQuery 1 54 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 55 1 executeQuery 1 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 58 1 executeQuery 1 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13.java 58 65 1 executeQuery 1 58 ResultSet resultSet = preparedStatement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java 26 89 1 readAllBytes 1 26 byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 31 1 read 1 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 31 1 read 1 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 56 38 1 readObject 1 56 Object o = ois.readObject(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 21 34 1 readObject 1 21 Object o = ois.readObject(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 32 1 buffer 6 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 32 1 buffer 6 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 59 56 1 first 1 59 if ((results != null) && (results.first() == true)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 69 56 1 first 1 69 if ((results != null) && (results.first())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 80 33 1 last 1 80 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 69 53 1 first 1 69 if (results != null && results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 66 34 1 first 1 66 results.first(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 65 26 1 first 1 65 results.first(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 69 30 1 first 1 69 results.first(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 64 34 1 first 1 64 if (results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 64 56 1 first 1 64 if ((results != null) && (results.first())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 69 33 1 last 1 69 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 90 28 1 beforeFirst 1 90 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 101 32 1 beforeFirst 1 101 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 73 56 1 first 1 73 if ((results != null) && (results.first() == true)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 78 33 1 last 1 78 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 68 38 1 first 1 68 if (results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 70 37 1 last 1 70 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 99 28 1 beforeFirst 1 99 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 110 32 1 beforeFirst 1 110 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 69 38 1 first 1 69 if (results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 96 30 1 first 1 96 results.first(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 38 22 1 writeLong 1 38 dos.writeLong(-8699352886133051976L); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 30 24 1 writeObject 1 30 oos.writeObject(o); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 1 println 1 51 pw.println(logLine); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 103 1 listFiles 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 59 34 1 mkdir 1 59 targetDirectory.mkdir(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 67 34 1 mkdir 1 67 targetDirectory.mkdir(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 44 41 1 mkdirs 1 44 this.catPicturesDirectory.mkdirs(); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 57 18 1 path 4 57 @PostMapping(path = "/auth-bypass/verify-account", produces = {"application/json"}) webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java 72 21 1 path 4 72 @RequestMapping(path = "/challenge/flag", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE) webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java 52 18 1 path 4 52 @PostMapping(path = "/ChromeDevTools/network", params = "networkNum") webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 64 17 1 path 4 64 @GetMapping(path = "/CrossSiteScriptingStored/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 46 14 1 path 4 46 @GetMapping(path="/crypto/encoding/basic",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 48 18 1 path 4 48 @RequestMapping(path="/crypto/hashing/md5",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 68 18 1 path 4 68 @RequestMapping(path="/crypto/hashing/sha256",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 50 18 1 path 4 50 @RequestMapping(path="/crypto/signing/getprivate",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFConfirmFlag1.java 45 18 1 path 4 45 @PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"}) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 79 18 1 path 4 79 @PostMapping(path = "/csrf/feedback", produces = "application/json") webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 49 21 1 path 4 49 @RequestMapping(path = "/csrf/basic-get-flag", produces = {"application/json"}, method = RequestMethod.POST) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 48 18 1 path 4 48 @PostMapping(path = "/csrf/login", produces = {"application/json"}) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 62 17 1 path 4 62 @GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE) webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequest.java 35 21 1 path 4 35 @RequestMapping(path = "/HttpProxies/intercept-request", method = {RequestMethod.POST, RequestMethod.GET}) webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 39 17 1 path 4 39 @PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java 46 17 1 path 4 46 @GetMapping(path = "/IDOR/profile/{userId}", produces = {"application/json"}) webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java 42 17 1 path 4 42 @GetMapping(path = {"/IDOR/own", "/IDOR/profile"}, produces = {"application/json"}) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 88 18 1 path 4 88 @PostMapping(path="/JWT/encode",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 130 18 1 path 4 130 @PostMapping(path="/JWT/decode",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 55 21 1 path 4 55 @RequestMapping(path = "/JWT/secret/gettoken", produces = MediaType.TEXT_HTML_VALUE) webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java 45 18 1 path 4 45 @PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"}) webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 53 21 1 path 4 53 @RequestMapping(path = {"users"}, method = RequestMethod.GET) webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 70 21 1 path 4 70 @RequestMapping(path = {"users", "/"}, method = RequestMethod.GET,consumes = "application/json") webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 82 21 1 path 4 82 @RequestMapping(path = {"users","/"}, method = RequestMethod.POST, consumes = "application/json", produces = "application/json") webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java 44 18 1 path 4 44 @PostMapping(path = "/access-control/user-hash", produces = {"application/json"}) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 53 18 1 path 4 53 @PostMapping(path = "/PasswordReset/questions", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 56 18 1 path 4 56 @PostMapping(path = "/PasswordReset/simple-mail", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 76 18 1 path 4 76 @PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 51 18 1 path 4 51 @PostMapping(path = "xxe/content-type") webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 64 18 1 path 4 64 @PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 89 21 1 path 4 89 @RequestMapping(path = "/xxe/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 95 21 1 path 4 95 @RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE) webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 57 14 1 targetDirectory 15 57 File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering"); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 72 14 1 d 1 72 File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 65 14 1 targetDirectory 15 65 File targetDirectory = new File(webGoatHomeDirectory, "/XXE"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 48 14 1 logFile 7 48 File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 79 14 1 targetFile 10 79 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 103 14 1 targetFile 10 103 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 50 30 1 pw 2 50 try (PrintWriter pw = new PrintWriter(logFile)) { webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java 52 61 1 toLowerCase 1 52 if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) { webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java 52 70 2 equals 1 52 if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java 40 48 1 toLowerCase 1 40 if (answer_xss_1.toString().toLowerCase().equals("yes")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java 40 57 2 equals 1 40 if (answer_xss_1.toString().toLowerCase().equals("yes")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 48 31 1 toLowerCase 1 48 if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 48 41 2 matches 1 48 if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 66 31 1 toLowerCase 1 66 if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 66 41 2 matches 1 66 if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 69 35 1 toLowerCase 1 69 if (field1.toLowerCase().contains("console.log")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 69 46 2 contains 1 69 if (field1.toLowerCase().contains("console.log")) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 117 121 1 toUpperCase 1 117 result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase())); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 117 101 2 equals 1 117 result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase())); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 108 43 1 toUpperCase 1 108 .printHexBinary(digest).toUpperCase(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 43 59 2 getHash 1 43 if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 43 99 3 equalsIgnoreCase 1 43 if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 74 109 1 toUpperCase 1 74 if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 74 85 2 equals 1 74 if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 42 45 1 toUpperCase 1 42 if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 42 26 2 equals 1 42 if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 45 50 1 toUpperCase 1 45 if (!"POST".equals(answer.toUpperCase())) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 45 31 2 equals 1 45 if (!"POST".equals(answer.toUpperCase())) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 39 1 toLowerCase 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 46 2 trim 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 55 3 equals 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 95 1 toLowerCase 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 102 2 trim 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 111 3 equals 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 46 1 toLowerCase 1 43 || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 53 2 trim 1 43 || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 62 3 equals 1 43 || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 102 1 toLowerCase 1 43 || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 109 2 trim 1 43 || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 118 3 equals 1 43 || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 54 95 1 toLowerCase 1 54 if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 54 104 2 equals 1 54 if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 61 94 1 toLowerCase 1 61 if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 61 103 2 equals 1 61 if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 68 96 1 toLowerCase 1 68 if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 68 105 2 equals 1 68 if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 24 70 1 toLowerCase 1 24 private static String OS = System.getProperty("os.name").toLowerCase(); webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 24 24 2 OS 2 24 private static String OS = System.getProperty("os.name").toLowerCase(); webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 35 10 3 OS 2 35 if (OS.indexOf("win")>-1) { webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 35 20 4 indexOf 1 35 if (OS.indexOf("win")>-1) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 102 30 1 toLowerCase 1 102 if (jsonHeader.toLowerCase().contains("none")) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 102 41 2 contains 1 102 if (jsonHeader.toLowerCase().contains("none")) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 59 60 1 toLowerCase 1 59 if ("webgoat".equalsIgnoreCase(username.toLowerCase())) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 59 39 2 equalsIgnoreCase 1 59 if ("webgoat".equalsIgnoreCase(username.toLowerCase())) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 61 1 toLowerCase 1 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 40 2 get 1 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 16 3 validAnswer 11 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 66 20 4 validAnswer 11 66 } else if (validAnswer.equals(securityQuestion)) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 66 38 5 equals 1 66 } else if (validAnswer.equals(securityQuestion)) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 84 49 1 toLowerCase 1 84 if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 84 60 2 contains 1 84 if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 80 1 toLowerCase 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 45 2 contains 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 34 1 toLowerCase 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 45 2 contains 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 1 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 2 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 3 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 4 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 5 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 6 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 7 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 62 18 8 accountName 11 62 if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 62 37 9 matches 1 62 if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 1 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 2 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 3 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 4 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 5 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 6 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 7 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 8 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 9 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 10 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 11 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 27 12 results 7 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 67 13 results 7 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 14 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 15 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 16 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 17 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 18 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 19 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 20 t 1 110 t.append("<br />"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 21 t 1 117 t.append("</p>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introductio