webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 43 1 ""id"" 4 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 42 2 getParameter 1 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 17 3 id 2 81 var id = request.getParameter("id"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 85 57 1 newUser 7 85 public WebGoatUser addUser(@RequestBody WebGoatUser newUser) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 87 33 2 newUser 7 87 userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 87 55 3 newUser 7 87 userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 87 77 4 newUser 7 87 userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 88 51 5 newUser 7 88 return userService.loadUserByUsername(newUser.getUsername()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 88 70 6 getUsername 1 88 return userService.loadUserByUsername(newUser.getUsername()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 88 50 7 loadUserByUsername 1 88 return userService.loadUserByUsername(newUser.getUsername()); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 59 56 1 userId 6 59

    public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {

webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 71 61 2 userId 6 71 userSessionData.setValue("account-verified-id", userId); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 71 37 3 setValue 1 71 userSessionData.setValue("account-verified-id", userId); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 72 27 4 success 1 72 return success(this) webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 73 30 5 feedback 1 73 .feedback("verify-account.success") webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 74 27 6 build 1 74 .build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 51 52 1 username_login 14 51

    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 56 73 2 username_login 14 56 return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 56 72 3 feedbackArgs 1 56 return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 56 94 4 build 1 56 return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 59 68 1 email 5 59

    public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {

    public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 66 2 email 5 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 65 3 feedbackArgs 1 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java 73 78 4 build 1 73 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 45 84 1 field1 6 45 @RequestParam Integer QTY4, @RequestParam String field1, webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 57 2 field1 6 57 cart.append("We have charged credit card:" + field1 + " "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 20 3 append 1 57 cart.append("We have charged credit card:" + field1 + " "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 58 9 4 cart 4 58 cart.append(" ------------------- "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 59 9 5 cart 4 59 cart.append(" $" + totalSale); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 90 6 cart 4 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 103 7 toString 1 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 89 8 output 1 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 70 112 9 build 1 70 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 45 84 1 field1 6 45 @RequestParam Integer QTY4, @RequestParam String field1, webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 57 2 field1 6 57 cart.append("We have charged credit card:" + field1 + " "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 20 3 append 1 57 cart.append("We have charged credit card:" + field1 + " "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 58 9 4 cart 4 58 cart.append(" ------------------- "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 59 9 5 cart 4 59 cart.append(" $" + totalSale); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 88 6 cart 4 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 101 7 toString 1 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 87 8 output 1 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 72 110 9 build 1 72 return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 45 84 1 field1 6 45 @RequestParam Integer QTY4, @RequestParam String field1, webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 57 2 field1 6 57 cart.append("We have charged credit card:" + field1 + " "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 57 20 3 append 1 57 cart.append("We have charged credit card:" + field1 + " "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 58 9 4 cart 4 58 cart.append(" ------------------- "); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 59 9 5 cart 4 59 cart.append(" $" + totalSale); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 78 29 6 cart 4 78 .output(cart.toString()) webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 78 42 7 toString 1 78 .output(cart.toString()) webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 78 28 8 output 1 78 .output(cart.toString()) webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 79 27 9 build 1 79 .build(); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 80 62 1 commentStr 10 80 public AttackResult createNewComment(@RequestBody String commentStr) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 37 2 commentStr 10 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 97 38 3 comment 7 97 private Comment parseJson(String comment) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 37 4 comment 7 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 36 5 readValue 1 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 36 6 parseJson 1 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 17 7 comment 7 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 87 21 8 add 1 87 comments.add(comment); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 52 9 comments 8 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 25 10 put 1 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 93 27 11 failed 1 93 return (failed(this).feedback("xss-stored-comment-failure").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 93 42 12 feedback 1 93 return (failed(this).feedback("xss-stored-comment-failure").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 93 78 13 build 1 93 return (failed(this).feedback("xss-stored-comment-failure").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 80 62 1 commentStr 10 80 public AttackResult createNewComment(@RequestBody String commentStr) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 37 2 commentStr 10 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 97 38 3 comment 7 97 private Comment parseJson(String comment) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 37 4 comment 7 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 100 36 5 readValue 1 100 return mapper.readValue(comment, Comment.class); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 36 6 parseJson 1 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 81 17 7 comment 7 81 Comment comment = parseJson(commentStr); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 87 21 8 add 1 87 comments.add(comment); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 52 9 comments 8 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 88 25 10 put 1 88 userComments.put(webSession.getUserName(), comments); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 91 28 11 success 1 91 return (success(this).feedback("xss-stored-comment-success").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 91 43 12 feedback 1 91 return (success(this).feedback("xss-stored-comment-success").build()); webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 91 79 13 build 1 91 return (success(this).feedback("xss-stored-comment-success").build()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 48 51 1 request 7 48 public String getBasicAuth(HttpServletRequest request) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 31 2 request 7 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 49 3 getSession 1 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 64 4 getAttribute 1 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 10 5 basicAuth 9 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 57 41 6 basicAuth 9 57 return "Authorization: Basic ".concat(basicAuth); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 57 40 7 concat 1 57 return "Authorization: Basic ".concat(basicAuth); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 50 45 1 request 7 50 public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 29 2 request 7 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 47 3 getSession 1 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 62 4 getAttribute 1 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 52 10 5 md5Hash 7 52 String md5Hash = (String) request.getSession().getAttribute("md5Hash"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 65 10 6 md5Hash 7 65 return md5Hash; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 70 48 1 request 7 70 public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 28 2 request 7 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 46 3 getSession 1 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 61 4 getAttribute 1 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 72 10 5 sha256 6 72 String sha256 = (String) request.getSession().getAttribute("sha256"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 79 10 6 sha256 6 79 return sha256; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 52 52 1 request 7 52

    public String getPrivateKey(HttpServletRequest request) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 32 2 request 7 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 50 3 getSession 1 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 65 4 getAttribute 1 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 54 10 5 privateKey 10 54 String privateKey = (String) request.getSession().getAttribute("privateKeyString"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 61 10 6 privateKey 10 61 return privateKey; webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 50 54 1 request 7 50 public AttackResult completed(HttpServletRequest request) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 27 2 request 7 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 51 3 getUserPrincipal 1 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 61 4 getName 1 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 51 16 5 userName 8 51 String userName = request.getUserPrincipal().getName(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 52 13 6 userName 8 52 if (userName.startsWith("csrf")) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 56 72 7 userName 8 56 return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 56 71 8 feedbackArgs 1 56 return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 56 87 9 build 1 56 return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 78 48 1 reviewText 10 78

    public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {

    public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {

    public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 24 2 reviewText 10 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 84 23 3 setText 1 84 review.setText(reviewText); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 85 9 4 review 6 85 review.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 86 9 5 review 6 86 review.setUser(webSession.getUserName()); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 87 9 6 review 6 87 review.setStars(stars); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 21 7 review 6 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 89 20 8 add 1 89 reviews.add(review); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 51 9 reviews 7 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 90 24 10 put 1 90 userReviews.put(webSession.getUserName(), reviews); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 99 27 11 success 1 99 return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure") webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 99 42 12 feedback 1 99 return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure") webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 99 71 13 build 1 99 return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure") webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 36 56 1 person 6 36 public AttackResult completed(@RequestParam String person) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 37 14 2 person 6 37 if (!person.equals("")) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 48 3 person 6 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 31 4 StringBuffer 3 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 63 5 reverse 1 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 74 6 toString 1 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 40 30 7 feedbackArgs 1 40 .feedbackArgs(new StringBuffer(person).reverse().toString()) webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java 41 23 8 build 1 41 .build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 132 59 1 jwtToken 8 132 public String decode(@RequestParam("jwtToken") String jwtToken) throws NoSuchAlgorithmException { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 49 2 jwtToken 8 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 27 3 jwtToken 8 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 45 4 substring 1 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 134 11 5 encodedHeader 13 134 String encodedHeader = jwtToken.substring(0, jwtToken.indexOf(".")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 136 59 6 encodedHeader 13 136 String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 136 58 7 decodeToString 1 136 String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 136 11 8 jsonHeader 10 136 String jsonHeader = TextCodec.BASE64URL.decodeToString(encodedHeader); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 32 9 jsonHeader 10 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 50 10 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 175 11 BinaryExpr 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 54 85 1 json 4 54 public ResponseEntity follow(@RequestBody(required = false) Map<String, Object> json) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 58 32 2 json 4 58 String user = (String) json.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 58 40 3 get 1 58 String user = (String) json.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 58 16 4 user 4 58 String user = (String) json.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 62 39 5 user 4 62 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 67 56 6 user 4 67 private Map<String, Object> createNewTokens(String user) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 28 7 user 4 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 19 8 put 1 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 28 9 claims 6 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 27 10 setClaims 1 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 74 26 11 signWith 1 74 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 75 25 12 compact 1 75 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 71 16 13 token 5 71 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 39 14 token 5 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 22 15 put 1 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 80 9 16 tokenJson 9 80 tokenJson.put("refresh_token", refreshToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 81 16 17 tokenJson 9 81 return tokenJson; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 62 38 18 createNewTokens 1 62 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 62 22 19 ok 1 62 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 86 115 1 token 5 86

    public ResponseEntity<AttackResult> checkout(@RequestHeader(value = "Authorization", required = false) String token) {

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 71 2 token 5 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 84 3 replace 1 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 70 4 parse 1 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 17 5 jwt 3 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 38 6 jwt 3 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 49 7 getBody 1 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 20 8 claims 6 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 36 9 claims 6 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 46 10 get 1 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 20 11 user 4 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 81 12 user 4 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 80 13 feedbackArgs 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 92 14 build 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 22 15 ok 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 107 101 1 token 5 107 public ResponseEntity newToken(@RequestHeader(value = "Authorization", required = false) String token, webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 87 2 token 5 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 100 3 replace 1 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 86 4 parse 1 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 33 5 jwt 3 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 29 6 jwt 3 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 40 7 getBody 1 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 46 8 get 1 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 13 9 user 4 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 39 10 user 4 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 67 56 11 user 4 67 private Map<String, Object> createNewTokens(String user) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 28 12 user 4 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 19 13 put 1 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 28 14 claims 6 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 27 15 setClaims 1 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 74 26 16 signWith 1 74 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 75 25 17 compact 1 75 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 71 16 18 token 5 71 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 39 19 token 5 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 22 20 put 1 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 80 9 21 tokenJson 9 80 tokenJson.put("refresh_token", refreshToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 81 16 22 tokenJson 9 81 return tokenJson; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 38 23 createNewTokens 1 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 22 24 ok 1 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 72 52 1 token 5 72 public AttackResult login(@RequestParam String token) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 74 69 2 token 5 74 Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 74 68 3 parse 1 74 Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 74 17 4 jwt 3 74 Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 75 38 5 jwt 3 75 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 75 49 6 getBody 1 75 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 75 20 7 claims 6 75 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 76 18 8 claims 6 76 if (!claims.keySet().containsAll(expectedClaims)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 79 40 9 claims 6 79 String user = (String) claims.get("username"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 79 50 10 get 1 79 String user = (String) claims.get("username"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 79 24 11 user 4 79 String user = (String) claims.get("username"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 84 92 12 user 4 84 return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 84 91 13 feedbackArgs 1 84 return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 84 103 14 build 1 84 return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 55 73 1 json 4 55 public AttackResult passwordReset(@RequestParam Map<String, Object> json) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 56 44 2 json 4 56 String securityQuestion = (String) json.getOrDefault("securityQuestion", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 57 36 3 json 4 57 String username = (String) json.getOrDefault("username", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 57 53 4 getOrDefault 1 57 String username = (String) json.getOrDefault("username", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 57 16 5 username 8 57 String username = (String) json.getOrDefault("username", ""); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 59 40 6 username 8 59 if ("webgoat".equalsIgnoreCase(username.toLowerCase())) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 41 7 username 8 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 65 90 8 username 8 65 return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 65 89 9 feedbackArgs 1 65 return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 65 105 10 build 1 65 return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 59 68 1 email 5 59 public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 75 66 2 email 5 75 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 75 65 3 feedbackArgs 1 75 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java 75 78 4 build 1 75 return success(this).feedback("email.send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 69 56 1 question 8 69 public AttackResult completed(@RequestParam String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 33 2 question 8 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 37 29 3 question 8 37 public void incr(String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 31 4 question 8 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 30 5 add 1 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 13 6 triedQuestions 14 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 73 17 7 triedQuestions 14 73 if (triedQuestions.isComplete()) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 74 31 8 success 1 74 return success(this).output("" + answer + "").build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 74 44 9 output 1 74 return success(this).output("" + answer + "").build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 74 75 10 build 1 74 return success(this).output("" + answer + "").build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 69 56 1 question 8 69 public AttackResult completed(@RequestParam String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 33 2 question 8 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 37 29 3 question 8 37 public void incr(String question) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 31 4 question 8 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java 38 30 5 add 1 38 answeredQuestions.add(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 72 13 6 triedQuestions 14 72 triedQuestions.incr(question); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 73 17 7 triedQuestions 14 73 if (triedQuestions.isComplete()) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 77 34 8 informationMessage 1 77 return informationMessage(this) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 78 26 9 feedback 1 78 .feedback("password-questions-one-successful") webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 79 24 10 output 1 79 .output(answer.orElse("Unknown question, please try again...")) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java 80 23 11 build 1 80 .build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 71 60 1 emailReset 10 71 public AttackResult resetPassword(@RequestParam String emailReset) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 35 2 emailReset 10 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 34 3 ofNullable 1 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 53 4 orElse 1 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 72 16 5 email 5 72 String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 73 50 6 email 5 73 return sendEmail(extractUsername(email), email); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 81 60 7 email 5 81 private AttackResult sendEmail(String username, String email) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 95 103 8 email 5 95 return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 95 102 9 feedbackArgs 1 95 return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 95 115 10 build 1 95 return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 73 25 11 sendEmail 1 73 return sendEmail(extractUsername(email), email); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 75 67 1 request 7 75 public ResponseEntity<?> getProfilePicture(HttpServletRequest request) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 27 2 request 7 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 49 3 getQueryString 1 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 13 4 queryParams 11 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 75 67 1 request 7 75 public ResponseEntity<?> getProfilePicture(HttpServletRequest request) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 27 2 request 7 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 22 3 request 7 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 42 4 getParameter 1 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 17 5 id 2 81 var id = request.getParameter("id"); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 2 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 3 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 4 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 5 strength 8 49

        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 6 strength 8 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 7 getScore 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 8 append 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 9 output 6 52

            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 10 output 6 58

        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 11 output 6 68 output.append("Score: " + strength.getScore() + "/4 "); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 12 output 6 69

        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 76 13 output 6 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 91 14 toString 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 75 15 output 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 100 16 build 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 2 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 3 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 4 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 5 strength 8 49

        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 6 strength 8 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 7 getScore 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 8 append 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 9 output 6 52

            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 10 output 6 58

        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");

        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 74 13 output 6 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 89 14 toString 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 73 15 output 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 98 16 build 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56

    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 88 2 username_reg 12 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 87 3 feedbackArgs 1 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 107 4 build 1 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 79 21 5 attackResult 12 79 attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 85 16 6 attackResult 12 85 return attackResult; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 51 56 1 userid_6a 9 51 public AttackResult completed(@RequestParam String userid_6a) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 32 2 userid_6a 9 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 3 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 4 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 153 6 query 5 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 130 7 output 1 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 165 8 build 1 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 31 9 injectableQuery 1 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 55 56 1 query 5 55 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 32 2 query 5 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 59 51 3 query 5 59 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 68 68 4 query 5 68 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 68 30 5 append 1 68 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 17 6 output 6 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 81 7 output 6 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 96 8 toString 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 80 9 output 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 105 10 build 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 31 11 injectableQuery 1 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 56 56 1 query 5 56 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 32 2 query 5 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 60 51 3 query 5 60 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 71 72 4 query 5 71 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 71 34 5 append 1 71 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 21 6 output 6 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 49 7 output 6 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 64 8 toString 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 48 9 output 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 73 10 build 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 31 11 injectableQuery 1 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 52 56 1 query 5 52 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 53 32 2 query 5 53 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 56 51 3 query 5 56 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 65 72 4 query 5 65 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 65 34 5 append 1 65 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 49 6 output 6 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 64 7 toString 1 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 48 8 output 1 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 66 73 9 build 1 66 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 53 31 10 injectableQuery 1 53 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 40 42 1 query 5 40 public AttackResult completed(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 41 32 2 query 5 41 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 44 51 3 query 5 44 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 50 17 4 query 5 50 if (query.matches(regex)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 51 68 5 query 5 51 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 51 30 6 append 1 51 output.append("" + query + ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 45 7 output 6 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 60 8 toString 1 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 44 9 output 1 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 52 69 10 build 1 52 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java 41 31 11 injectableQuery 1 41 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 56 1 account 7 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 32 2 account 7 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 98 6 query 5 75 return failed(this).output(output.toString() + " Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 51 7 output 1 75 return failed(this).output(output.toString() + " Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 110 8 build 1 75 return failed(this).output(output.toString() + " Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 31 9 injectableQuery 1 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 86 1 operator 8 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 48 2 operator 8 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 98 6 query 5 75 return failed(this).output(output.toString() + " Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 51 7 output 1 75 return failed(this).output(output.toString() + " Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 75 110 8 build 1 75 return failed(this).output(output.toString() + " Your query was: " + query).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 31 9 injectableQuery 1 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 117 1 injection 9 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 45 2 userid 6 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 55 71 3 accountName 11 55 protected AttackResult injectableQuery(String login_count, String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 56 93 4 accountName 11 56 String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 56 16 5 queryString 11 56 String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 53 6 queryString 11 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 72 7 replace 1 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 64 43 8 output 1 64 return failed(this).output("Could not parse: " + login_count + " to a number" webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 97 9 build 1 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 10 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 85 1 login_count 11 51

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 32 2 login_count 11 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 55 51 3 login_count 11 55 protected AttackResult injectableQuery(String login_count, String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 78 4 login_count 11 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 72 5 replace 1 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 64 43 6 output 1 64 return failed(this).output("Could not parse: " + login_count + " to a number" webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 97 7 build 1 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 8 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 45 56 1 url 3 45 public AttackResult completed(@RequestParam String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 46 24 2 url 3 46 return furBall(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 49 43 3 url 3 49 protected AttackResult furBall(String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 53 17 4 url 3 53 if (url.matches("http://ifconfig.pro")) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 33 5 url 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 25 6 URL 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 21 7 u 1 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 47 8 u 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 63 9 openConnection 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 31 10 urlConnection 13 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 78 11 urlConnection 13 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 106 12 getInputStream 1 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 56 13 InputStreamReader 3 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 37 14 BufferedReader 3 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 56 32 15 in 2 56 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 59 37 16 in 2 59 while ((inputLine = in.readLine()) != null) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 59 48 17 readLine 1 59 while ((inputLine = in.readLine()) != null) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 59 52 18 != 2 59 while ((inputLine = in.readLine()) != null) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 60 33 19 inputLine 9 60 html.append(inputLine); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 60 32 20 append 1 60 html.append(inputLine); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 66 33 21 html 4 66 .output(html.toString()) webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 66 46 22 toString 1 66 .output(html.toString()) webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 66 32 23 output 1 66 .output(html.toString()) webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 67 31 24 build 1 67 .build(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 46 23 25 furBall 1 46 return furBall(url); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 42 49 1 payload 7 42 AttackResult completed(@RequestParam String payload) { webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 2 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 3 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 13 4 contact 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 83 5 feedbackArgs 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 98 6 build 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 53 56 1 email 5 53 public AttackResult sendEmail(@RequestParam String email) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 46 2 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 27 3 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 67 89 4 email 5 67 return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 67 88 5 feedbackArgs 1 67 return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 67 101 6 build 1 67 return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 53 56 1 email 5 53 public AttackResult sendEmail(@RequestParam String email) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 46 2 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 27 3 email 5 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 42 4 substring 1 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 54 16 5 username 8 54 String username = email.substring(0, email.indexOf("@")); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 55 13 6 username 8 55 if (username.equalsIgnoreCase(getWebSession().getUserName())) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 69 93 7 username 8 69 return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 69 92 8 feedbackArgs 1 69 return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 69 108 9 build 1 69 return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 75 56 1 uniqueCode 10 75 public AttackResult completed(@RequestParam String uniqueCode) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 76 13 2 uniqueCode 10 76 if (uniqueCode.equals(StringUtils.reverse(getWebSession().getUserName()))) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 79 85 3 uniqueCode 10 79 return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 79 84 4 feedbackArgs 1 79 return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 79 102 5 build 1 79 return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 78 56 1 commentStr 10 78 public AttackResult addComment(@RequestBody String commentStr) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 80 13 2 commentStr 10 80 if (commentStr.contains(CONTENTS)) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 49 3 commentStr 10 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 4 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 5 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 6 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 7 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 8 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 9 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 48 10 parseXml 1 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 21 11 comment 7 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 33 12 comment 7 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 13 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 15 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 17 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 18 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 32 19 addComment 1 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 90 22 20 failed 1 90 return failed(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 90 34 21 build 1 90 return failed(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 78 56 1 commentStr 10 78 public AttackResult addComment(@RequestBody String commentStr) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 80 13 2 commentStr 10 80 if (commentStr.contains(CONTENTS)) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 49 3 commentStr 10 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 4 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 5 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 6 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 7 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 8 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 9 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 48 10 parseXml 1 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 85 21 11 comment 7 85 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 33 12 comment 7 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 13 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 15 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 17 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 18 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 86 32 19 addComment 1 86 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 26 20 failed 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 39 21 output 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 59 22 build 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 53 59 1 commentStr 10 53

    public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 64 53 2 commentStr 10 64 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 3 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 4 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 5 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 6 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 7 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 8 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 64 52 9 parseXml 1 64 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 64 25 10 comment 7 64 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 65 37 11 comment 7 65 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 12 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 13 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 15 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 17 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 65 36 18 addComment 1 65 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 67 43 19 success 1 67 attackResult = success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 67 55 20 build 1 67 attackResult = success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 67 21 21 attackResult 12 67 attackResult = success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 75 16 22 attackResult 12 75 return attackResult; webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 66 62 1 commentStr 10 66 public AttackResult createNewComment(@RequestBody String commentStr) throws Exception { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 49 2 commentStr 10 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 3 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 4 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 5 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 6 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 7 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 8 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 48 9 parseXml 1 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 21 10 comment 7 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 33 11 comment 7 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 12 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 13 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 15 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 17 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 13 18 comments 8 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 72 31 19 success 1 72 return success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 72 43 20 build 1 72 return success(this).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 66 62 1 commentStr 10 66 public AttackResult createNewComment(@RequestBody String commentStr) throws Exception { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 49 2 commentStr 10 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 87 39 3 xml 3 87 protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 62 4 xml 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 45 5 StringReader 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 44 6 createXMLStreamReader 1 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 90 13 7 xsr 3 90 var xsr = xif.createXMLStreamReader(new StringReader(xml)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 93 48 8 unmarshal 1 93 return (Comment) unmarshaller.unmarshal(xsr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 48 9 parseXml 1 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 69 21 10 comment 7 69 Comment comment = comments.parseXml(commentStr); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 33 11 comment 7 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 105 36 12 comment 7 105 public void addComment(Comment comment, boolean visibleForAllUsers) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 13 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 106 28 14 setDateTime 1 106 comment.setDateTime(DateTime.now().toString(fmt)); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 15 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 107 24 16 setUser 1 107 comment.setUser(webSession.getUserName()); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java 109 25 17 add 1 109 comments.add(comment); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 70 13 18 comments 8 70 comments.addComment(comment, false); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 22 19 failed 1 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 35 20 output 1 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 48 21 build 1 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 66 1 userAgent 9 45

    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {

    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 70 2 text 4 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 28 5 logLine 7 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 6 println 1 51 pw.println(logLine); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56

    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 101 2 username_reg 12 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 24 3 checkUserQuery 14 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 62 4 checkUserQuery 14 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 61 5 executeQuery 1 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 51 56 1 userid_6a 9 51 public AttackResult completed(@RequestParam String userid_6a) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 32 2 userid_6a 9 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 3 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 4 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 6 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 7 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 48 89 1 userId 6 48 public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 49 13 2 userId 6 49 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 52 62 3 userId 6 52 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 4 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 5 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 6 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 7 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 8 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 48 101 1 userId 6 48 public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 18 2 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 3 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 4 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 5 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 6 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 7 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 8 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 9 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 10 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 11 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 12 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 13 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 52 56 1 action_string 13 52 public AttackResult completed(@RequestParam String action_string) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 53 44 2 action_string 13 53 return injectableQueryAvailability(action_string); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 56 63 3 action 6 56 protected AttackResult injectableQueryAvailability(String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 74 4 action 6 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 16 5 query 5 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 60 6 query 5 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 7 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 55 56 1 query 5 55 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 32 2 query 5 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 59 51 3 query 5 59 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 56 4 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 55 5 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 56 56 1 query 5 56 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 32 2 query 5 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 60 51 3 query 5 60 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 65 41 4 query 5 65 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 65 40 5 executeUpdate 1 65 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 52 56 1 query 5 52 public AttackResult completed(@RequestParam String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 53 32 2 query 5 53 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 56 51 3 query 5 56 protected AttackResult injectableQuery(String query) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 59 41 4 query 5 59 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 59 40 5 executeUpdate 1 59 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 56 1 account 7 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 32 2 account 7 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 86 1 operator 8 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 48 2 operator 8 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 117 1 injection 9 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 65 2 injection 9 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 56 1 name 4 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 47 2 name 4 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 66 3 name 4 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 72 4 name 4 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 60 6 query 5 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 7 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 56 1 name 4 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 47 2 name 4 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 66 3 name 4 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 72 4 name 4 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 83 1 auth_tan 8 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 53 2 auth_tan 8 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 79 3 auth_tan 8 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 102 4 auth_tan 8 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 60 6 query 5 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 7 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 83 1 auth_tan 8 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 53 2 auth_tan 8 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 79 3 auth_tan 8 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 102 4 auth_tan 8 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 56 1 name 4 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 41 2 name 4 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 60 3 name 4 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 72 4 name 4 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 56 1 name 4 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 41 2 name 4 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 60 3 name 4 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 72 4 name 4 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 60 6 query 5 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 7 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 83 1 auth_tan 8 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 47 2 auth_tan 8 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 73 3 auth_tan 8 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 102 4 auth_tan 8 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 83 1 auth_tan 8 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 47 2 auth_tan 8 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 73 3 auth_tan 8 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 102 4 auth_tan 8 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 60 6 query 5 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 7 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 51 52 1 username_login 14 51

    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 129 2 username_login 14 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 70 3 prepareStatement 1 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 31 4 statement 9 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 35 5 statement 9 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 57 6 executeQuery 1 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 51 89 1 password_login 14 51

    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 169 2 password_login 14 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 70 3 prepareStatement 1 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 31 4 statement 9 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 35 5 statement 9 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 57 6 executeQuery 1 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 56 1 userid 6 51

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 58 66 7 prepareStatement 1 58

            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 58 31 8 query 5 58

            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 68 13 9 query 5 68 query.setInt(1, count); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 37 10 query 5 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 55 11 executeQuery 1 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 69 51 1 column 6 69 public List<Server> sort(@RequestParam String column) throws Exception { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 189 2 column 6 73

             PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column)) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 79 3 prepareStatement 1 73

             PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column)) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 198 4 preparedStatement 1 73

             PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column)) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 28 5 preparedStatement 17 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 58 6 executeQuery 1 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 56 59 1 executeQuery 1 56 ResultSet results = statement.executeQuery(query); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 56 27 2 results 7 56 ResultSet results = statement.executeQuery(query); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 60 40 3 next 1 60 while (results.next()) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 62 63 4 getString 1 62 userMap.put("first", results.getString(1)); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 66 64 5 getString 1 66 userMap.put("cookie", results.getString(5)); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 66 36 6 put 1 66 userMap.put("cookie", results.getString(5)); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 67 25 7 userMap 7 67 userMap.put("loginCount", Integer.toString(results.getInt(6))); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 68 60 8 userMap 7 68 allUsersMap.put(results.getInt(0), userMap); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 68 40 9 put 1 68 allUsersMap.put(results.getInt(0), userMap); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 71 28 10 allUsersMap 11 71 return allUsersMap; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 27 2 results 7 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 67 3 results 7 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 4 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 5 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 6 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 7 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 8 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 9 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 10 t 1 110 t.append(" "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 11 t 1 117 t.append(""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 12 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 13 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 66 14 writeTable 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 34 15 append 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 63 16 output 6 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 25 17 output 6 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 83 25 18 output 6 83 output.append(appendingWhenSucceded); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 105 19 output 6 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 120 20 toString 1 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 104 21 feedbackArgs 1 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 130 22 output 1 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 84 165 23 build 1 84

                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 31 24 injectableQuery 1 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 1 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 27 2 results 7 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 67 69 3 results 7 67 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 67 68 13 generateTable 1 67 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 67 34 14 append 1 67 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 85 15 output 6 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 100 16 toString 1 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 84 17 output 1 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 68 109 18 build 1 68 return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 53 43 19 injectableQueryAvailability 1 53 return injectableQueryAvailability(action_string); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 55 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 23 2 results 7 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 65 3 results 7 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 64 13 generateTable 1 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 69 30 14 append 1 69 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 81 15 output 6 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 96 16 toString 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 80 17 output 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 70 105 18 build 1 70 return success(this).feedback("sql-injection.2.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 56 31 19 injectableQuery 1 56 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 66 64 1 executeQuery 1 66 ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 66 27 2 results 7 66 ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 69 3 results 7 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 68 13 generateTable 1 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 72 34 14 append 1 72 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 49 15 output 6 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 64 16 toString 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 48 17 output 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 73 73 18 build 1 73 return success(this).output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 57 31 19 injectableQuery 1 57 return injectableQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 27 2 results 7 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 68 46 3 results 7 68 output.append(writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 4 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 5 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 6 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 7 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 8 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 9 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 10 t 1 110 t.append(" "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 11 t 1 117 t.append(""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 12 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 13 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 68 45 14 writeTable 1 68 output.append(writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 68 34 15 append 1 68 output.append(writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 145 16 output 6 73

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 160 17 toString 1 73

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 144 18 feedbackArgs 1 73

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 169 19 build 1 73

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 31 20 injectableQuery 1 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 1 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 27 2 results 7 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 69 53 3 results 7 69 output.append(generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 69 52 13 generateTable 1 69 output.append(generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 69 38 14 append 1 69 output.append(generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 93 15 output 6 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 108 16 toString 1 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 92 17 output 1 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 74 117 18 build 1 74 return success(this).feedback("sql-injection.8.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 46 19 injectableQueryConfidentiality 1 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 1 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 27 2 results 7 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 70 73 3 results 7 70 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 70 72 13 generateTable 1 70 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 70 38 14 append 1 70 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 81 51 15 output 6 81 return checkSalaryRanking(connection, output); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 89 81 16 output 6 89 private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 80 17 output 6 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 95 18 toString 1 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 79 19 output 1 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 102 104 20 build 1 102 return failed(this).feedback("sql-injection.9.one").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 81 38 21 checkSalaryRanking 1 81 return checkSalaryRanking(connection, output); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 40 22 injectableQueryIntegrity 1 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 94 59 1 executeQuery 1 94 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 94 27 2 results 7 94 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 99 69 3 results 7 99 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 96 50 4 results 7 96 public static String generateTable(ResultSet results) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 111 32 5 next 1 111 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 43 6 results 7 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 60 7 getString 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 114 33 8 append 1 114 table.append("<td>" + results.getString(i) + "</td>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 116 17 9 table 5 116 table.append("</tr>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 123 9 10 table 5 123 table.append("</table>"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 17 11 table 5 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 124 31 12 toString 1 124 return (table.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 99 68 13 generateTable 1 99 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 99 34 14 append 1 99 output.append(SqlInjectionLesson8.generateTable(results)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 85 15 output 6 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 100 16 toString 1 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 84 17 output 1 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 100 109 18 build 1 100 return success(this).feedback("sql-injection.9.success").output(output.toString()).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 81 38 19 checkSalaryRanking 1 81 return checkSalaryRanking(connection, output); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 40 20 injectableQueryIntegrity 1 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 55 1 executeQuery 1 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 27 2 results 7 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 77 67 3 results 7 77 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 4 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 5 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 6 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 7 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 8 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 9 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 10 t 1 110 t.append(" "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 11 t 1 117 t.append(""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 12 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 13 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 77 66 14 writeTable 1 77 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 77 34 15 append 1 77 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 163 16 output 6 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 178 17 toString 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 162 18 feedbackArgs 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 187 19 build 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 20 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 103 1 listFiles 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 66 2 arrayToCommaDelimitedString 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 115 3 getBytes 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 26 4 body 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 46 56 1 token 5 46 public AttackResult completed(@RequestParam String token) throws IOException { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 20 2 token 5 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 33 3 replace 1 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 51 4 replace 1 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 52 9 5 b64token 8 52 b64token = token.replace('-', '+').replace('_', '/'); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 112 6 b64token 8 54

        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {

webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 111 7 decode 1 54

        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {

webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 60 8 ByteArrayInputStream 3 54

        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {

webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 54 38 9 ObjectInputStream 3 54

        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {

webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 56 38 10 readObject 1 56 Object o = ois.readObject(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 42 49 1 payload 7 42 AttackResult completed(@RequestParam String payload) { webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 2 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 3 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 59 1 ""\r"" 4 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 3 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 4 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 5 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 6 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 7 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 41 1 ""\n"" 4 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 3 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 5 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 6 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 7 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 8 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 41 1 ""-----END PRIVATE KEY-----"" 27 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 2 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 3 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 5 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 6 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 8 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 9 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 10 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 11 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 41 1 ""-----BEGIN PRIVATE KEY-----"" 29 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 40 2 replace 1 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 3 3 privateKeyPem 13 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 19 4 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 5 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 6 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 8 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 9 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 10 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 11 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 12 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 13 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 14 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 72 1 """" 2 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 40 2 replace 1 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 124 3 3 privateKeyPem 13 124 privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 19 4 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 5 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 6 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 8 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 9 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 10 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 11 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 12 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 13 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 14 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 70 1 """" 2 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 40 2 replace 1 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 125 3 3 privateKeyPem 13 125 privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 19 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 5 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 6 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 7 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 8 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 9 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 10 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 11 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 47 1 """" 2 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 40 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 3 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 4 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 5 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 6 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 7 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 8 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 65 1 """" 2 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 58 2 replace 1 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 126 3 3 privateKeyPem 13 126 privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", ""); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 53 4 privateKeyPem 13 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 52 5 decode 1 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 129 16 6 decoded 7 129 byte [] decoded = Base64.getDecoder().decode(privateKeyPem); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 131 59 7 decoded 7 131 PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java 88 23 1 ""secret"" 8 88 String jsonSecret = "secret"; webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java 88 10 2 jsonSecret 10 88 String jsonSecret = "secret"; webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java 89 70 3 jsonSecret 10 89 String jwtToken = jwtFinalEndpoint.encode(jsonHeader, jsonPayload, jsonSecret).replace(":", "") webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 92 42 4 jsonSecret 10 92 @RequestParam("jsonSecret") String jsonSecret) throws NoSuchAlgorithmException { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 105 110 5 jsonSecret 10 105

				encodedSignature = TextCodec.BASE64URL.encode(getJWTSignature(jsonHeader, encodedHeader, encodedPayload, jsonSecret));

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 117 107 6 jsonSecret 10 117

    private byte[] getJWTSignature(String jsonHeader, String encodedHeader, String encodedPayload, String jsonSecret) throws NoSuchAlgorithmException, InvalidKeyException {

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 124 78 7 jsonSecret 10 124 SecretKeySpec secret_key = new SecretKeySpec(TextCodec.BASE64.decode(jsonSecret), algorithm); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 124 77 8 decode 1 124 SecretKeySpec secret_key = new SecretKeySpec(TextCodec.BASE64.decode(jsonSecret), algorithm); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 25 35 1 nextInt 1 25 int j = random.nextInt(a.length); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 53 68 1 nextInt 1 53 String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 55 48 1 nextInt 1 55 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 74 48 1 nextInt 1 74 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 63 76 1 nextInt 1 63 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 69 76 1 nextInt 1 69 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 80 72 1 nextInt 1 80 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 51 97 1 nextInt 1 51 public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 25 35 1 nextInt 1 25 int j = random.nextInt(a.length); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 53 68 1 nextInt 1 53 String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 55 48 1 nextInt 1 55 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 74 48 1 nextInt 1 74 String secret = SECRETS[new Random().nextInt(SECRETS.length)]; webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 63 76 1 nextInt 1 63 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 69 76 1 nextInt 1 69 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 80 72 1 nextInt 1 80 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 51 97 1 nextInt 1 51 public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56

    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 75 52 2 username_reg 12 75 preparedStatement.setString(1, username_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 75 48 3 setString 1 75 preparedStatement.setString(1, username_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 76 21 4 preparedStatement 17 76 preparedStatement.setString(2, email_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 21 5 preparedStatement 17 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 21 6 preparedStatement 17 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 7 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 97 1 email_reg 9 56

    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 76 52 2 email_reg 9 76 preparedStatement.setString(2, email_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 76 48 3 setString 1 76 preparedStatement.setString(2, email_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 21 4 preparedStatement 17 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 21 5 preparedStatement 17 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 6 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 129 1 password_reg 12 56

    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 52 2 password_reg 12 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 77 48 3 setString 1 77 preparedStatement.setString(3, password_reg); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 21 4 preparedStatement 17 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 5 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 56 1 name 4 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 47 2 name 4 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 66 3 name 4 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 72 4 name 4 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 53 83 1 auth_tan 8 53 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 54 53 2 auth_tan 8 54 return injectableQueryConfidentiality(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 57 79 3 auth_tan 8 57 protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 102 4 auth_tan 8 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 59 16 5 query 5 59 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 64 33 6 query 5 64 log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 56 1 name 4 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 41 2 name 4 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 60 3 name 4 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 72 4 name 4 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 55 83 1 auth_tan 8 55 public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 47 2 auth_tan 8 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 59 73 3 auth_tan 8 59 protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 102 4 auth_tan 8 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 61 16 5 query 5 61 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 65 53 6 query 5 65 SqlInjectionLesson8.log(connection, query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 127 58 7 action 6 127 public static void log(Connection connection, String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 18 8 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 32 9 replace 1 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 128 9 10 action 6 128 action = action.replace('\'', '"'); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 95 11 action 6 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 133 16 12 logQuery 8 133 String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 37 13 logQuery 8 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 14 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 53 11 1 password 8 53 String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 59 16 1 password 8 59 String password = (String) json.get("password"); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 68 20 1 passwordTom 11 68 String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 61 16 1 password 8 61 String password = "dave"; webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java 31 20 1 password 8 31 private String password = ""; webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 51 32 1 usersToTomPassword 18 51 static Map<String, String> usersToTomPassword = Maps.newHashMap(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 49 38 1 args 4 49 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 85 2 element 7 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 39 3 println 1 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 33 38 1 args 4 33 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 38 27 2 args 4 38 String username = args[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 38 16 3 username 8 38 String username = args[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 40 68 4 username 8 40 System.out.println("Generation password reset link for " + username); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java 40 27 5 println 1 40 System.out.println("Generation password reset link for " + username); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 116 1 text 4 45

    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 70 2 text 4 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 28 5 logLine 7 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 6 println 1 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 66 1 userAgent 9 45

    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 59 2 userAgent 9 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 28 5 logLine 7 51 pw.println(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 6 println 1 51 pw.println(logLine); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 43 2 password 8 48 output.append("Length: " + password.length() + ""); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 58 3 length 1 48 output.append("Length: " + password.length() + ""); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 22 4 append 1 48 output.append("Length: " + password.length() + ""); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 9 5 output 6 49

        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 9 6 output 6 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 7 output 6 52

            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 8 output 6 58

        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 9 output 6 68 output.append("Score: " + strength.getScore() + "/4 "); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 10 output 6 69

        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 76 11 output 6 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 91 12 toString 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 75 13 output 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 100 14 build 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 1 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 2 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 3 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 4 strength 8 49

        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 5 strength 8 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 6 getScore 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 7 append 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 8 output 6 52

            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 9 output 6 58

        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 68 9 10 output 6 68 output.append("Score: " + strength.getScore() + "/4 "); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 69 9 11 output 6 69

        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 76 12 output 6 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 91 13 toString 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 75 14 output 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 72 100 15 build 1 72 return success(this).feedback("securepassword-success").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 40 56 1 password 8 40 public AttackResult completed(@RequestParam String password) { webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 43 2 password 8 48 output.append("Length: " + password.length() + ""); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 58 3 length 1 48 output.append("Length: " + password.length() + ""); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 48 22 4 append 1 48 output.append("Length: " + password.length() + ""); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 9 5 output 6 49

        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 9 6 output 6 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 7 output 6 52

            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 8 output 6 58

        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");

        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 74 11 output 6 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 89 12 toString 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 73 13 output 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 98 14 build 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 44 1 password 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 43 2 measure 1 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 45 18 3 strength 8 45 Strength strength = zxcvbn.measure(password); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 49 94 4 strength 8 49

        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 90 5 strength 8 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 107 6 getScore 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 50 22 7 append 1 50

        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 52 13 8 output 6 52

            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 58 9 9 output 6 58

        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");

        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 74 12 output 6 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 89 13 toString 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 73 14 output 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java 74 98 15 build 1 74 return failed(this).feedback("securepassword-failed").output(output.toString()).build(); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 39 63 1 text 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 39 34 2 replace 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 39 17 3 comment 7 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 40 27 4 comment 7 40 comment = comment.replace('STARS', result[i].stars) webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 40 34 5 replace 1 40 comment = comment.replace('STARS', result[i].stars) webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 40 17 6 comment 7 40 comment = comment.replace('STARS', result[i].stars) webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 41 35 7 comment 7 41 $("#list").append(comment); webgoat-lessons/csrf/src/main/resources/js/csrf-review.js 41 27 8 append 1 41 $("#list").append(comment); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 39 63 1 text 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 39 34 2 replace 1 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 39 17 3 comment 7 39 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 40 35 4 comment 7 40 $("#list").append(comment); webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js 40 27 5 append 1 40 $("#list").append(comment); webgoat-lessons/xxe/src/main/resources/js/xxe.js 77 59 1 text 1 77 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/xxe/src/main/resources/js/xxe.js 77 30 2 replace 1 77 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/xxe/src/main/resources/js/xxe.js 77 13 3 comment 7 77 comment = comment.replace('COMMENT', result[i].text); webgoat-lessons/xxe/src/main/resources/js/xxe.js 78 29 4 comment 7 78 $(field).append(comment); webgoat-lessons/xxe/src/main/resources/js/xxe.js 78 21 5 append 1 78 $(field).append(comment); webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java 62 61 1 ""secret"" 8 62 mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test"))) webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java 62 60 2 param 1 62 mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test"))) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 58 17 1 secret 6 58 md.update(secret.getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 58 32 2 getBytes 1 58 md.update(secret.getBytes()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 66 90 1 secret 6 66 public AttackResult execute(@RequestParam(value = "secret", required = false) String secret) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 67 86 2 secret 6 67 if (Sha512DigestUtils.shaHex(getWebSession().getUserName()).equalsIgnoreCase(secret)) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 45 56 1 url 3 45 public AttackResult completed(@RequestParam String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 46 24 2 url 3 46 return furBall(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 49 43 3 url 3 49 protected AttackResult furBall(String url) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 53 17 4 url 3 53 if (url.matches("http://ifconfig.pro")) { webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 33 5 url 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 25 6 URL 3 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 54 21 7 u 1 54 URL u = new URL(url); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 47 8 u 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java 55 63 9 openConnection 1 55 URLConnection urlConnection = u.openConnection(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 75 67 1 request 7 75 public ResponseEntity<?> getProfilePicture(HttpServletRequest request) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 27 2 request 7 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 49 3 getQueryString 1 76 var queryParams = request.getQueryString(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 89 52 1 user 4 89 public void login(@RequestParam("user") String user, HttpServletResponse response) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 32 2 user 4 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 23 3 put 1 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 32 4 claims 6 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 31 5 setClaims 1 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 6 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 7 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 8 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 9 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 29 10 Cookie 3 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 20 11 cookie 6 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 32 12 cookie 6 99 response.addCookie(cookie); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 31 13 addCookie 1 99 response.addCookie(cookie); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 100 13 14 response 8 100 response.setStatus(HttpStatus.OK.value()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 101 13 15 response 8 101 response.setContentType(MediaType.APPLICATION_JSON_VALUE); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 101 36 16 setContentType 1 101 response.setContentType(MediaType.APPLICATION_JSON_VALUE); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 89 52 1 user 4 89 public void login(@RequestParam("user") String user, HttpServletResponse response) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 32 2 user 4 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 23 3 put 1 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 32 4 claims 6 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 31 5 setClaims 1 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 6 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 7 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 8 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 9 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 29 10 Cookie 3 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 20 11 cookie 6 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 32 12 cookie 6 99 response.addCookie(cookie); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 31 13 addCookie 1 99 response.addCookie(cookie); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56

    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 101 2 username_reg 12 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 63 24 3 checkUserQuery 14 63 String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 62 4 checkUserQuery 14 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 61 5 executeQuery 1 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 52 56 1 action_string 13 52 public AttackResult completed(@RequestParam String action_string) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 53 44 2 action_string 13 53 return injectableQueryAvailability(action_string); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 56 63 3 action 6 56 protected AttackResult injectableQueryAvailability(String action) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 74 4 action 6 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 58 16 5 query 5 58 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 60 6 query 5 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 7 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 48 51 1 request 7 48 public String getBasicAuth(HttpServletRequest request) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 50 31 2 request 7 50 String basicAuth = (String) request.getSession().getAttribute("basicAuth"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 21 3 request 7 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 45 4 getUserPrincipal 1 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 55 5 getName 1 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 51 10 6 username 8 51 String username = request.getUserPrincipal().getName(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 54 29 7 username 8 54 basicAuth = getBasicAuth(username, password); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 42 43 8 username 8 42 public static String getBasicAuth(String username, String password) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 48 9 username 8 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 63 10 concat 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 75 11 concat 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 94 12 getBytes 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 43 47 13 encodeToString 1 43 return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 54 28 14 getBasicAuth 1 54 basicAuth = getBasicAuth(username, password); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 54 4 15 basicAuth 9 54 basicAuth = getBasicAuth(username, password); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 55 51 16 basicAuth 9 55 request.getSession().setAttribute("basicAuth", basicAuth); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 79 76 1 link 4 79 public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 83 31 2 link 4 83 form.setResetLink(link); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 83 30 3 setResetLink 1 83 form.setResetLink(link); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 84 40 4 form 4 84 model.addAttribute("form", form); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 49 38 1 args 4 49 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 67 2 element 7 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 58 3 File 3 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 73 1 JWT_PASSWORD 12 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 2 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 3 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 4 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 5 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 29 6 Cookie 3 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 20 7 cookie 6 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 32 8 cookie 6 99 response.addCookie(cookie); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 41 94 1 secretText 10 41

    public AttackResult completed(@RequestParam String secretFileName,  @RequestParam String secretText) throws NoSuchAlgorithmException {

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 43 60 2 secretText 10 43

        	if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 103 41 3 secret 6 103 public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 105 16 4 secret 6 105 md.update(secret.getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 105 31 5 getBytes 1 105 md.update(secret.getBytes()); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 105 15 6 update 1 105 md.update(secret.getBytes()); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 54 1 ""SHA-256"" 9 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 53 2 getInstance 1 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 23 3 md 2 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 23 4 md 2 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 32 5 digest 1 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 54 1 ""SHA-256"" 9 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 53 2 getInstance 1 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 63 23 3 md 2 63 MessageDigest md = MessageDigest.getInstance("SHA-256"); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 23 4 md 2 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java 67 32 5 digest 1 67 byte[] hash = md.digest(salted.getBytes("UTF-8")); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 56 59 1 executeQuery 1 56 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 65 61 1 executeQuery 1 65 ResultSet resultSet = statement.executeQuery(checkUserQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 63 59 1 executeQuery 1 63 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 92 50 1 executeQuery 1 92 ResultSet results = stmt.executeQuery("SELECT * FROM access_log"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 62 55 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 65 40 1 executeUpdate 1 65 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 66 64 1 executeQuery 1 66 ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 59 40 1 executeUpdate 1 59 statement.executeUpdate(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 61 59 1 executeQuery 1 61 ResultSet results = statement.executeQuery("SELECT phone from employees;"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 1 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 65 59 1 executeQuery 1 65 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 137 36 1 executeUpdate 1 137 statement.executeUpdate(logQuery); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 66 59 1 executeQuery 1 66 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 94 59 1 executeQuery 1 94 ResultSet results = statement.executeQuery(query); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 57 1 executeQuery 1 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 78 46 1 execute 1 78 preparedStatement.execute(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java 54 57 1 executeQuery 1 54 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 71 55 1 executeQuery 1 71 ResultSet results = query.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 58 1 executeQuery 1 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13.java 58 65 1 executeQuery 1 58 ResultSet resultSet = preparedStatement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java 26 89 1 readAllBytes 1 26 byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 31 1 read 1 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 31 1 read 1 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java 56 38 1 readObject 1 56 Object o = ois.readObject(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 21 34 1 readObject 1 21 Object o = ois.readObject(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 32 1 buffer 6 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 32 1 buffer 6 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 59 56 1 first 1 59 if ((results != null) && (results.first() == true)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 69 56 1 first 1 69 if ((results != null) && (results.first())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 80 33 1 last 1 80 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 69 53 1 first 1 69 if (results != null && results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java 66 34 1 first 1 66 results.first(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java 65 26 1 first 1 65 results.first(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java 69 30 1 first 1 69 results.first(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 64 34 1 first 1 64 if (results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 64 56 1 first 1 64 if ((results != null) && (results.first())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 69 33 1 last 1 69 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 90 28 1 beforeFirst 1 90 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 101 32 1 beforeFirst 1 101 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 73 56 1 first 1 73 if ((results != null) && (results.first() == true)) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 78 33 1 last 1 78 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 68 38 1 first 1 68 if (results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 70 37 1 last 1 70 results.last(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 99 28 1 beforeFirst 1 99 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java 110 32 1 beforeFirst 1 110 results.beforeFirst(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 69 38 1 first 1 69 if (results.first()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 96 30 1 first 1 96 results.first(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 38 22 1 writeLong 1 38 dos.writeLong(-8699352886133051976L); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 30 24 1 writeObject 1 30 oos.writeObject(o); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 51 27 1 println 1 51 pw.println(logLine); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 97 103 1 listFiles 1 97 .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes()); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 59 34 1 mkdir 1 59 targetDirectory.mkdir(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 67 34 1 mkdir 1 67 targetDirectory.mkdir(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 44 41 1 mkdirs 1 44 this.catPicturesDirectory.mkdirs(); webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java 57 18 1 path 4 57 @PostMapping(path = "/auth-bypass/verify-account", produces = {"application/json"}) webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java 72 21 1 path 4 72 @RequestMapping(path = "/challenge/flag", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE) webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java 52 18 1 path 4 52 @PostMapping(path = "/ChromeDevTools/network", params = "networkNum") webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java 64 17 1 path 4 64

    @GetMapping(path = "/CrossSiteScriptingStored/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java 46 14 1 path 4 46 @GetMapping(path="/crypto/encoding/basic",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 48 18 1 path 4 48 @RequestMapping(path="/crypto/hashing/md5",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 68 18 1 path 4 68 @RequestMapping(path="/crypto/hashing/sha256",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 50 18 1 path 4 50 @RequestMapping(path="/crypto/signing/getprivate",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFConfirmFlag1.java 45 18 1 path 4 45 @PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"}) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 79 18 1 path 4 79 @PostMapping(path = "/csrf/feedback", produces = "application/json") webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java 49 21 1 path 4 49 @RequestMapping(path = "/csrf/basic-get-flag", produces = {"application/json"}, method = RequestMethod.POST) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java 48 18 1 path 4 48 @PostMapping(path = "/csrf/login", produces = {"application/json"}) webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 62 17 1 path 4 62 @GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE) webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequest.java 35 21 1 path 4 35 @RequestMapping(path = "/HttpProxies/intercept-request", method = {RequestMethod.POST, RequestMethod.GET}) webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 39 17 1 path 4 39 @PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java 46 17 1 path 4 46 @GetMapping(path = "/IDOR/profile/{userId}", produces = {"application/json"}) webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java 42 17 1 path 4 42 @GetMapping(path = {"/IDOR/own", "/IDOR/profile"}, produces = {"application/json"}) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 88 18 1 path 4 88 @PostMapping(path="/JWT/encode",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 130 18 1 path 4 130 @PostMapping(path="/JWT/decode",produces=MediaType.TEXT_HTML_VALUE) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java 55 21 1 path 4 55 @RequestMapping(path = "/JWT/secret/gettoken", produces = MediaType.TEXT_HTML_VALUE) webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java 45 18 1 path 4 45 @PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"}) webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 53 21 1 path 4 53 @RequestMapping(path = {"users"}, method = RequestMethod.GET) webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 70 21 1 path 4 70 @RequestMapping(path = {"users", "/"}, method = RequestMethod.GET,consumes = "application/json") webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java 82 21 1 path 4 82

    @RequestMapping(path = {"users","/"}, method = RequestMethod.POST, consumes = "application/json", produces = "application/json")

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java 44 18 1 path 4 44 @PostMapping(path = "/access-control/user-hash", produces = {"application/json"}) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 53 18 1 path 4 53 @PostMapping(path = "/PasswordReset/questions", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 56 18 1 path 4 56 @PostMapping(path = "/PasswordReset/simple-mail", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 76 18 1 path 4 76 @PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 51 18 1 path 4 51 @PostMapping(path = "xxe/content-type") webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 64 18 1 path 4 64 @PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 89 21 1 path 4 89 @RequestMapping(path = "/xxe/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE) webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 95 21 1 path 4 95 @RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE) webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 57 14 1 targetDirectory 15 57 File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering"); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 72 14 1 d 1 72 File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 65 14 1 targetDirectory 15 65 File targetDirectory = new File(webGoatHomeDirectory, "/XXE"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 48 14 1 logFile 7 48 File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 79 14 1 targetFile 10 79 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 103 14 1 targetFile 10 103 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 50 30 1 pw 2 50 try (PrintWriter pw = new PrintWriter(logFile)) { webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java 52 61 1 toLowerCase 1 52

		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {

webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java 52 70 2 equals 1 52

		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java 40 48 1 toLowerCase 1 40 if (answer_xss_1.toString().toLowerCase().equals("yes")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java 40 57 2 equals 1 40 if (answer_xss_1.toString().toLowerCase().equals("yes")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 48 31 1 toLowerCase 1 48 if (field2.toLowerCase().matches(".*<script>.*(console\\.log\$.*\$|alert\$.*\$);?<\\/script>.*")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 48 41 2 matches 1 48 if (field2.toLowerCase().matches(".*<script>.*(console\\.log\$.*\$|alert\$.*\$);?<\\/script>.*")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 66 31 1 toLowerCase 1 66 if (field1.toLowerCase().matches("<script>.*(console\\.log\$.*\$|alert\$.*\$)<\\/script>")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 66 41 2 matches 1 66 if (field1.toLowerCase().matches("<script>.*(console\\.log\$.*\$|alert\$.*\$)<\\/script>")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 69 35 1 toLowerCase 1 69 if (field1.toLowerCase().contains("console.log")) { webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java 69 46 2 contains 1 69 if (field1.toLowerCase().contains("console.log")) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 117 121 1 toUpperCase 1 117

			result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase()));

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java 117 101 2 equals 1 117

			result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase()));

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 108 43 1 toUpperCase 1 108 .printHexBinary(digest).toUpperCase(); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 43 59 2 getHash 1 43

        	if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java 43 99 3 equalsIgnoreCase 1 43

        	if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 74 109 1 toUpperCase 1 74 if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 74 85 2 equals 1 74 if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 42 45 1 toUpperCase 1 42 if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 42 26 2 equals 1 42 if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 45 50 1 toUpperCase 1 45 if (!"POST".equals(answer.toUpperCase())) { webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java 45 31 2 equals 1 45 if (!"POST".equals(answer.toUpperCase())) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 39 1 toLowerCase 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 46 2 trim 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 55 3 equals 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 95 1 toLowerCase 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 102 2 trim 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 42 111 3 equals 1 42 if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 46 1 toLowerCase 1 43

                || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 53 2 trim 1 43

                || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 62 3 equals 1 43

                || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 102 1 toLowerCase 1 43

                || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 109 2 trim 1 43

                || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java 43 118 3 equals 1 43

                || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 54 95 1 toLowerCase 1 54 if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 54 104 2 equals 1 54 if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 61 94 1 toLowerCase 1 61 if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 61 103 2 equals 1 61 if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 68 96 1 toLowerCase 1 68 if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java 68 105 2 equals 1 68 if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) { webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 24 70 1 toLowerCase 1 24 private static String OS = System.getProperty("os.name").toLowerCase(); webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 24 24 2 OS 2 24 private static String OS = System.getProperty("os.name").toLowerCase(); webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 35 10 3 OS 2 35 if (OS.indexOf("win")>-1) { webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 35 20 4 indexOf 1 35 if (OS.indexOf("win")>-1) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 102 30 1 toLowerCase 1 102 if (jsonHeader.toLowerCase().contains("none")) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 102 41 2 contains 1 102 if (jsonHeader.toLowerCase().contains("none")) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 59 60 1 toLowerCase 1 59 if ("webgoat".equalsIgnoreCase(username.toLowerCase())) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 59 39 2 equalsIgnoreCase 1 59 if ("webgoat".equalsIgnoreCase(username.toLowerCase())) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 61 1 toLowerCase 1 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 40 2 get 1 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 63 16 3 validAnswer 11 63 String validAnswer = COLORS.get(username.toLowerCase()); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 66 20 4 validAnswer 11 66 } else if (validAnswer.equals(securityQuestion)) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java 66 38 5 equals 1 66 } else if (validAnswer.equals(securityQuestion)) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 84 49 1 toLowerCase 1 84 if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 84 60 2 contains 1 84 if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 80 1 toLowerCase 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 45 2 contains 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 34 1 toLowerCase 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java 48 45 2 contains 1 48 if (input.toLowerCase().contains(this.results[position].toLowerCase())) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 1 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 2 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 3 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 4 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 5 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 6 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 7 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 62 18 8 accountName 11 62 if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 62 37 9 matches 1 62 if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 1 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 2 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 3 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 4 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 5 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 6 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 7 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 8 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 9 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 10 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 11 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 27 12 results 7 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 67 13 results 7 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 14 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 15 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 16 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 17 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 18 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 19 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 20 t 1 110 t.append(" "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 21 t 1 117 t.append(""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 22 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 23 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 66 24 writeTable 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 34 25 append 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 63 26 output 6 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 25 27 output 6 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 40 28 toString 1 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 51 29 contains 1 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 1 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 2 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 3 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 4 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 5 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 6 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 7 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 8 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 9 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 60 10 query 5 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 59 11 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 67 27 12 results 7 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 67 13 results 7 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 88 47 14 results 7 88 public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 103 32 15 next 1 103 while (results.next()) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 16 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 47 17 getString 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 106 29 18 append 1 106 t.append(results.getString(i)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 107 21 19 t 1 107 t.append(", "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 110 17 20 t 1 110 t.append(" "); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 117 9 21 t 1 117 t.append(""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 17 22 t 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 118 27 23 toString 1 118 return (t.toString()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 66 24 writeTable 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 73 34 25 append 1 73 output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 63 26 output 6 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 78 27 toString 1 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 82 89 28 contains 1 82 if (output.toString().contains("dave") && output.toString().contains("passW0rD")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 1 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 2 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 3 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 4 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 5 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 28 6 contains 1 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java 56 62 1 username_reg 12 56

    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 32 2 account 7 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 86 1 operator 8 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 54 48 2 operator 8 54 return injectableQuery(account + " " + operator + " " + injection); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 57 51 3 accountName 11 57 protected AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 93 4 accountName 11 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 60 6 query 5 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 62 59 7 executeQuery 1 62 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 117 1 injection 9 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 129 2 username_login 14 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 70 3 prepareStatement 1 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 31 4 statement 9 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 169 2 password_login 14 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 70 3 prepareStatement 1 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 59 31 4 statement 9 59

            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 35 5 statement 9 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java 60 57 6 executeQuery 1 60 ResultSet resultSet = statement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 56 1 userid 6 51

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 58 66 7 prepareStatement 1 58

            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 58 31 8 query 5 58

            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);

             PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column)) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 79 3 prepareStatement 1 73

             PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column)) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 73 198 4 preparedStatement 1 73

             PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column)) {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 28 5 preparedStatement 17 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java 74 58 6 executeQuery 1 74 ResultSet rs = preparedStatement.executeQuery(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 66 30 1 e 1 66 } catch (IOException e) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 67 71 2 e 1 67 return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 67 70 3 getStackTrace 1 67 return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 67 41 4 feedback 1 67 return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build(); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 67 80 5 build 1 67 return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 119 38 1 e 1 119 } catch (ExpiredJwtException e) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 120 29 2 e 1 120 user = (String) e.getClaims().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 120 40 3 getClaims 1 120 user = (String) e.getClaims().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 120 46 4 get 1 120 user = (String) e.getClaims().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 120 13 5 user 4 120 user = (String) e.getClaims().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 39 6 user 4 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 67 56 7 user 4 67 private Map<String, Object> createNewTokens(String user) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 28 8 user 4 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 19 9 put 1 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 28 10 claims 6 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 27 11 setClaims 1 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 74 26 12 signWith 1 74 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 75 25 13 compact 1 75 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 71 16 14 token 5 71 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 39 15 token 5 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 22 16 put 1 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 80 9 17 tokenJson 9 80 tokenJson.put("refresh_token", refreshToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 81 16 18 tokenJson 9 81 return tokenJson; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 38 19 createNewTokens 1 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 22 20 ok 1 128 return ok(createNewTokens(user)); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 74 35 1 sqle 4 74 } catch (SQLException sqle) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 75 17 2 sqle 4 75 sqle.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 75 37 3 printStackTrace 1 75 sqle.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 83 32 1 e 1 83 } catch (Exception e) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 84 17 2 e 1 84 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 88 17 3 e 1 88 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 88 34 4 printStackTrace 1 88 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 83 32 1 e 1 83 } catch (Exception e) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 84 17 2 e 1 84 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 84 34 3 printStackTrace 1 84 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 99 39 1 sqle 4 99 } catch (SQLException sqle) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 100 21 2 sqle 4 100 sqle.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 100 41 3 printStackTrace 1 100 sqle.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 104 28 1 e 1 104 } catch (Exception e) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 105 13 2 e 1 105 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 109 13 3 e 1 109 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 109 30 4 printStackTrace 1 109 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 104 28 1 e 1 104 } catch (Exception e) { webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 105 13 2 e 1 105 e.printStackTrace(); webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java 105 30 3 printStackTrace 1 105 e.printStackTrace(); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 92 42 1 e 1 92 } catch (RestClientException e) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 93 103 2 e 1 93

                return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 93 115 3 getMessage 1 93

                return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 93 102 4 output 1 93

                return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 93 124 5 build 1 93

                return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java 73 25 6 sendEmail 1 73 return sendEmail(extractUsername(email), email); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 72 35 1 sqle 4 72 } catch (SQLException sqle) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 73 17 2 sqle 4 73 sqle.printStackTrace(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 73 37 3 printStackTrace 1 73 sqle.printStackTrace(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 76 28 1 e 1 76 } catch (Exception e) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 77 13 2 e 1 77 e.printStackTrace(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 77 30 3 printStackTrace 1 77 e.printStackTrace(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 76 35 1 e 1 76 } catch (SQLException e) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 77 36 2 e 1 77 System.err.println(e.getMessage()); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 78 117 3 e 1 78

                return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 78 129 4 getMessage 1 78

                return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 78 75 5 output 1 78

                return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 78 150 6 build 1 78

                return failed(this).feedback("sql-injection.error").output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java 56 40 7 injectableQueryIntegrity 1 56 return injectableQueryIntegrity(name, auth_tan); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java 102 28 1 exception 9 102 } catch (Exception exception) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java 103 13 2 exception 9 103 exception.printStackTrace(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java 103 38 3 printStackTrace 1 103 exception.printStackTrace(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 54 28 1 ex 2 54 } catch (Exception ex) { webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 55 80 2 ex 2 55 return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 55 93 3 getMessage 1 55 return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 55 79 4 output 1 55 return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 55 102 5 build 1 55 return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 65 28 1 e 1 65 } catch (Exception e) { webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 66 80 2 e 1 66 return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 66 92 3 getMessage 1 66 return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 66 79 4 output 1 66 return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 66 101 5 build 1 66 return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 64 42 1 e 1 64 } catch (RestClientException e ) { webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 65 89 2 e 1 65 return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 65 101 3 getMessage 1 65 return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 65 88 4 output 1 65 return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build(); webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java 65 110 5 build 1 65 return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 87 28 1 e 1 87 } catch (Exception e) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 40 2 e 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 50 3 toString 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 39 4 output 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 88 59 5 build 1 88 return failed(this).output(e.toString()).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 69 32 1 e 1 69 } catch (Exception e) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 70 92 2 e 1 70 error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 70 91 3 getFullStackTrace 1 70 error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 70 17 4 error 5 70 error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 71 94 5 error 5 71 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 71 93 6 output 1 71 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 71 106 7 build 1 71 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 71 17 8 attackResult 12 71 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java 75 16 9 attackResult 12 75 return attackResult; webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 74 28 1 e 1 74 } catch (Exception e) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 75 54 2 e 1 75 error = ExceptionUtils.getFullStackTrace(e); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 75 53 3 getFullStackTrace 1 75 error = ExceptionUtils.getFullStackTrace(e); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 75 13 4 error 5 75 error = ExceptionUtils.getFullStackTrace(e); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 36 5 error 5 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 35 6 output 1 77 return failed(this).output(error).build(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java 77 48 7 build 1 77 return failed(this).output(error).build(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 50 1 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 175 2 BinaryExpr 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 165 1 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 175 2 BinaryExpr 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 147 1 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 165 2 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 175 3 BinaryExpr 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 130 1 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 147 2 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 165 3 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 175 4 BinaryExpr 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 108 1 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 130 2 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 147 3 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 165 4 replace 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java 138 175 5 BinaryExpr 1 138

			return "{\"jsonHeader\":\""+jsonHeader.replace("\"", "\\\"")+"\",\"jsonPayload\":\""+jsonPayload.replace("\"", "\\\"").replace("\t","").replace("\r", "").replace("\n", "")+"\"}";

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 84 1 replace 1 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 70 2 parse 1 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 91 17 3 jwt 3 91 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 38 4 jwt 3 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 49 5 getBody 1 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 92 20 6 claims 6 92 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 36 7 claims 6 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 46 8 get 1 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 93 20 9 user 4 93 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 81 10 user 4 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 80 11 feedbackArgs 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 92 12 build 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 97 22 13 ok 1 97 return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 100 1 replace 1 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 86 2 parse 1 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 116 33 3 jwt 3 116 Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 29 4 jwt 3 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 40 5 getBody 1 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 46 6 get 1 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 117 13 7 user 4 117 user = (String) jwt.getBody().get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 39 8 user 4 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 67 56 9 user 4 67 private Map<String, Object> createNewTokens(String user) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 28 10 user 4 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 70 19 11 put 1 70 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 28 12 claims 6 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 73 27 13 setClaims 1 73 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 74 26 14 signWith 1 74 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 75 25 15 compact 1 75 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 71 16 16 token 5 71 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 39 17 token 5 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 79 22 18 put 1 79 tokenJson.put("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 80 9 19 tokenJson 9 80 tokenJson.put("refresh_token", refreshToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 81 16 20 tokenJson 9 81 return tokenJson; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 38 21 createNewTokens 1 128 return ok(createNewTokens(user)); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 128 22 22 ok 1 128 return ok(createNewTokens(user)); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 27 71 1 replace 1 27 return super.execute(file, fullName != null ? fullName.replace("../", "") : ""); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 26 63 2 fullName 8 26 protected AttackResult execute(MultipartFile file, String fullName) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 58 3 fullName 8 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 32 4 File 3 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 17 5 uploadedFile 12 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 27 71 1 replace 1 27 return super.execute(file, fullName != null ? fullName.replace("../", "") : ""); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 26 63 2 fullName 8 26 protected AttackResult execute(MultipartFile file, String fullName) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 58 3 fullName 8 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 32 4 File 3 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 17 5 uploadedFile 12 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 48 129 6 getAbsoluteFile 1 48

            return informationMessage(this).feedback("path-traversal-profile-updated").feedbackArgs(uploadedFile.getAbsoluteFile()).build();

webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 48 100 7 feedbackArgs 1 48

            return informationMessage(this).feedback("path-traversal-profile-updated").feedbackArgs(uploadedFile.getAbsoluteFile()).build();

webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 48 138 8 build 1 48

            return informationMessage(this).feedback("path-traversal-profile-updated").feedbackArgs(uploadedFile.getAbsoluteFile()).build();

webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 27 29 9 execute 1 27 return super.execute(file, fullName != null ? fullName.replace("../", "") : ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 72 1 replace 1 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 64 43 2 output 1 64 return failed(this).output("Could not parse: " + login_count + " to a number" webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 65 97 3 build 1 65 + " Your query was: " + queryString.replace("?", login_count)).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 4 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 130 1 replace 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 89 2 output 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 162 3 feedbackArgs 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 187 4 build 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 5 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 84 117 1 replace 1 84

                        return failed(this).output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 84 51 2 output 1 84

                        return failed(this).output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 84 142 3 build 1 84

                        return failed(this).output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build();

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 88 87 2 output 1 88

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 88 153 3 build 1 88

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 52 31 4 injectableQuery 1 52 return injectableQuery(login_count, userid); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 108 1 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 11 2 payload 7 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 3 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 4 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 13 5 contact 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 83 6 feedbackArgs 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 98 7 build 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 89 1 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 108 2 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 11 3 payload 7 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 4 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 5 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 13 6 contact 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 83 7 feedbackArgs 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 98 8 build 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 71 1 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 89 2 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 108 3 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 11 4 payload 7 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 5 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 6 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 13 7 contact 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 83 8 feedbackArgs 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 98 9 build 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 53 1 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 71 2 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 89 3 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 108 4 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 11 5 payload 7 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 6 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 7 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 13 8 contact 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 83 9 feedbackArgs 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 98 10 build 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 36 1 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 53 2 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 71 3 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 89 4 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 108 5 replace 1 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 51 11 6 payload 7 51 payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 49 7 payload 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 48 8 fromXML 1 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 53 13 9 contact 7 53 contact = (Contact) xstream.fromXML(payload); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 83 10 feedbackArgs 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java 68 98 11 build 1 68 return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build(); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 51 56 1 userid_6a 9 51 public AttackResult completed(@RequestParam String userid_6a) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 32 2 userid_6a 9 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 3 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 4 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 119 6 query 5 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 96 7 output 1 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 48 89 1 userId 6 48 public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 49 13 2 userId 6 49 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 52 62 3 userId 6 52 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 4 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 5 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 6 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 119 7 query 5 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 96 8 output 1 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 48 101 1 userId 6 48 public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 18 2 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 36 3 toUpperCase 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 46 4 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 66 5 replace 1 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 49 9 6 userId 6 49 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 50 13 7 userId 6 50 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java 53 62 8 userId 6 53 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 9 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 10 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 11 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 119 12 query 5 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 96 13 output 1 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 56 1 account 7 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

                    return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 78 87 7 output 1 78

                    return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 56 1 account 7 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 89 7 output 1 73

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 86 1 operator 8 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

                    return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 78 87 7 output 1 78

                    return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 86 1 operator 8 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 89 7 output 1 73

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 117 1 injection 9 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

                    return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 78 87 7 output 1 78

                    return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 53 117 1 injection 9 53

    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java 73 89 7 output 1 73

                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 85 1 login_count 11 51

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 130 5 replace 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 89 6 output 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 85 1 login_count 11 51

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 88 128 5 replace 1 88

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 88 87 6 output 1 88

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 56 1 userid 6 51

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 130 7 replace 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 82 89 8 output 1 82

                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 51 56 1 userid 6 51

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 88 128 7 replace 1 88

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java 88 87 8 output 1 88

                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();

webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java 31 87 1 file 4 31

    public AttackResult uploadFileHandler(@RequestParam("uploadedFile") MultipartFile file, @RequestParam(value = "fullName", required = false) String fullName) {

webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java 32 30 2 file 4 32 return super.execute(file, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 25 60 1 file 4 25 @RequestParam("uploadedFileFix") MultipartFile file, webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 27 30 2 file 4 27 return super.execute(file, fullName != null ? fullName.replace("../", "") : ""); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java 26 102 1 file 4 26 public AttackResult uploadFileHandler(@RequestParam("uploadedFileRemoveUserInput") MultipartFile file) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java 27 30 2 file 4 27 return super.execute(file, file.getOriginalFilename()); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 92 24 1 ""admin"" 7 92 claims.put("admin", "false"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 92 23 2 put 1 92 claims.put("admin", "false"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 13 3 claims 6 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 32 4 claims 6 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 31 5 setClaims 1 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 6 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 7 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 8 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 9 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 92 33 1 ""false"" 7 92 claims.put("admin", "false"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 92 23 2 put 1 92 claims.put("admin", "false"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 13 3 claims 6 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 32 4 claims 6 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 31 5 setClaims 1 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 6 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 7 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 8 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 9 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 24 1 ""user"" 6 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 93 23 2 put 1 93 claims.put("user", user); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 32 3 claims 6 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 95 31 4 setClaims 1 95 .setClaims(claims) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 96 30 5 signWith 1 96 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 97 29 6 compact 1 97 .compact(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 94 20 7 token 5 94 String token = Jwts.builder() webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 98 56 8 token 5 98 Cookie cookie = new Cookie("access_token", token); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 72 1 ""alg"" 5 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 71 2 setHeaderParam 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 94 3 compact 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 16 4 token 5 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 78 52 5 token 5 78 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 71 20 1 ""admin"" 7 71 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 71 19 2 put 1 71 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 72 9 3 claims 6 72 claims.put("user", "Tom"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 49 4 claims 6 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 48 5 setClaims 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 71 6 setHeaderParam 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 94 7 compact 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 16 8 token 5 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 78 52 9 token 5 78 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 71 29 1 ""true"" 6 71 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 71 19 2 put 1 71 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 72 9 3 claims 6 72 claims.put("user", "Tom"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 49 4 claims 6 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 48 5 setClaims 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 71 6 setHeaderParam 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 94 7 compact 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 16 8 token 5 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 78 52 9 token 5 78 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 72 20 1 ""user"" 6 72 claims.put("user", "Tom"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 72 19 2 put 1 72 claims.put("user", "Tom"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 49 3 claims 6 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 48 4 setClaims 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 71 5 setHeaderParam 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 94 6 compact 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 16 7 token 5 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 78 52 8 token 5 78 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 72 28 1 ""Tom"" 5 72 claims.put("user", "Tom"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 72 19 2 put 1 72 claims.put("user", "Tom"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 49 3 claims 6 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 48 4 setClaims 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 71 5 setHeaderParam 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 94 6 compact 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 16 7 token 5 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 78 52 8 token 5 78 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 79 1 ""none"" 6 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 71 2 setHeaderParam 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 94 3 compact 1 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 73 16 4 token 5 73 String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact(); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 78 52 5 token 5 78 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 187 20 1 ""admin"" 7 187 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 187 19 2 put 1 187 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 188 9 3 claims 6 188 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 114 4 claims 6 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 113 5 setClaims 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 129 6 compact 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 16 7 token 5 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 192 52 8 token 5 192 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 187 29 1 ""true"" 6 187 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 187 19 2 put 1 187 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 188 9 3 claims 6 188 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 114 4 claims 6 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 113 5 setClaims 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 129 6 compact 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 16 7 token 5 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 192 52 8 token 5 192 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 188 20 1 ""user"" 6 188 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 188 19 2 put 1 188 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 114 3 claims 6 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 113 4 setClaims 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 129 5 compact 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 16 6 token 5 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 192 52 7 token 5 192 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 188 28 1 ""Intruder"" 10 188 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 188 19 2 put 1 188 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 114 3 claims 6 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 113 4 setClaims 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 129 5 compact 1 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 189 16 6 token 5 189

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 192 52 7 token 5 192 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 199 20 1 ""admin"" 7 199 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 199 19 2 put 1 199 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 200 9 3 claims 6 200 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 114 4 claims 6 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 113 5 setClaims 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 129 6 compact 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 16 7 token 5 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 204 52 8 token 5 204 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 199 29 1 ""true"" 6 199 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 199 19 2 put 1 199 claims.put("admin", "true"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 200 9 3 claims 6 200 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 114 4 claims 6 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 113 5 setClaims 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 129 6 compact 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 16 7 token 5 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 204 52 8 token 5 204 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 200 20 1 ""user"" 6 200 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 200 19 2 put 1 200 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 114 3 claims 6 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 113 4 setClaims 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 129 5 compact 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 16 6 token 5 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 204 52 7 token 5 204 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 200 28 1 ""Intruder"" 10 200 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 200 19 2 put 1 200 claims.put("user", "Intruder"); webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 114 3 claims 6 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 113 4 setClaims 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 129 5 compact 1 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 201 16 6 token 5 201

        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java 204 52 7 token 5 204 .cookie(new Cookie("access_token", token))) webgoat-lessons/jwt/src/main/resources/js/jwt-refresh.js 10 53 1 ""bm5nhSkxCXZkKRy4"" 18 10 data: JSON.stringify({user: user, password: "bm5nhSkxCXZkKRy4"}) webgoat-lessons/jwt/src/main/resources/js/jwt-refresh.js 10 43 2 password 8 10 data: JSON.stringify({user: user, password: "bm5nhSkxCXZkKRy4"}) webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 15 1 ""\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B"" 46 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 144 1 ""\x73\x65\x6E\x64"" 18 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 14 2 Array 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 6 3 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 5 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 229 6 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 220 7 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 105 1 ""\x73\x74\x72\x69\x6E\x67\x69\x66\x79"" 38 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 62 1 ""\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C"" 42 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-login/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 15 1 ""\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B"" 46 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 144 1 ""\x73\x65\x6E\x64"" 18 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 14 2 Array 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 6 3 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 5 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 229 6 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 220 7 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 105 1 ""\x73\x74\x72\x69\x6E\x67\x69\x66\x79"" 38 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 62 1 ""\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C"" 42 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/ssrf/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 15 1 ""\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B"" 46 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 144 1 ""\x73\x65\x6E\x64"" 18 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 14 2 Array 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 6 3 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 5 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 229 6 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 220 7 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 105 1 ""\x73\x74\x72\x69\x6E\x67\x69\x66\x79"" 38 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 62 1 ""\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C"" 42 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 6 2 _0xb7f9 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 3 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 199 4 _0xb7f9 1 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 229 5 1 7 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js 5 220 6 password 8 5

	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java 34 12 1 PASSWORD 8 34 String PASSWORD = "!!webgoat_admin_1234!!"; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java 35 12 1 PASSWORD_TOM 12 35 String PASSWORD_TOM = "thisisasecretfortomonly"; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java 36 12 1 ADMIN_PASSWORD_LINK 19 36 String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2"; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 48 32 1 PASSWORD 8 48 public static final String PASSWORD = "bm5nhSkxCXZkKRy4"; webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java 49 33 1 JWT_PASSWORD 12 49 private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4"; webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 48 25 1 PASSWORD_TOM_9 14 48 static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 61 16 1 password 8 61 String password = "dave"; webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java 24 47 1 getProperty 1 24 private static String OS = System.getProperty("os.name").toLowerCase(); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 59 34 1 mkdir 1 59 targetDirectory.mkdir(); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 67 34 1 mkdir 1 67 targetDirectory.mkdir(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 44 41 1 mkdirs 1 44 this.catPicturesDirectory.mkdirs(); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 58 36 1 exists 1 58 if (!targetDirectory.exists()) { webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 66 36 1 exists 1 66 if (!targetDirectory.exists()) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 75 67 1 request 7 75 public ResponseEntity<?> getProfilePicture(HttpServletRequest request) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 76 27 2 request 7 76 var queryParams = request.getQueryString(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 22 3 request 7 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 42 4 getParameter 1 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 17 5 id 2 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 82 30 6 File 3 82 var catPicture = new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 43 1 ""id"" 4 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 42 2 getParameter 1 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 81 17 3 id 2 81 var id = request.getParameter("id"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 82 30 4 File 3 82 var catPicture = new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java 26 102 1 file 4 26 public AttackResult uploadFileHandler(@RequestParam("uploadedFileRemoveUserInput") MultipartFile file) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java 27 36 2 file 4 27 return super.execute(file, file.getOriginalFilename()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java 27 60 3 getOriginalFilename 1 27 return super.execute(file, file.getOriginalFilename()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 26 63 4 fullName 8 26 protected AttackResult execute(MultipartFile file, String fullName) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 58 5 fullName 8 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 32 6 File 3 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java 31 152 1 fullName 8 31

    public AttackResult uploadFileHandler(@RequestParam("uploadedFile") MultipartFile file, @RequestParam(value = "fullName", required = false) String fullName) {

webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java 32 36 2 fullName 8 32 return super.execute(file, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 26 63 3 fullName 8 26 protected AttackResult execute(MultipartFile file, String fullName) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 58 4 fullName 8 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 32 5 File 3 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 26 75 1 fullName 8 26 @RequestParam(value = "fullNameFix", required = false) String fullName) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 27 55 2 fullName 8 27 return super.execute(file, fullName != null ? fullName.replace("../", "") : ""); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java 27 71 3 replace 1 27 return super.execute(file, fullName != null ? fullName.replace("../", "") : ""); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 26 63 4 fullName 8 26 protected AttackResult execute(MultipartFile file, String fullName) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 58 5 fullName 8 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 41 32 6 File 3 41 var uploadedFile = new File(uploadDirectory, fullName); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 69 78 1 getCookies 1 69

        boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().contains(MediaType.TEXT_PLAIN_VALUE);

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 99 59 2 cookies 7 99 private boolean requestContainsWebGoatCookie(Cookie[] cookies) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 101 29 3 cookies 7 101 for (Cookie c : cookies) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 102 21 4 c 1 102 if (c.getName().equals("JSESSIONID")) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 102 30 5 getName 1 102 if (c.getName().equals("JSESSIONID")) { webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java 102 39 6 equals 1 102 if (c.getName().equals("JSESSIONID")) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 112 103 1 accessToken 11 112 public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 118 75 2 accessToken 11 118 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 118 74 3 parse 1 118 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 118 21 4 jwt 3 118 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 119 42 5 jwt 3 119 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 119 53 6 getBody 1 119 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 119 24 7 claims 6 119 Claims claims = (Claims) jwt.getBody(); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 120 40 8 claims 6 120 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 120 50 9 get 1 120 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 120 24 10 user 4 120 String user = (String) claims.get("user"); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 121 36 11 user 4 121 if ("Guest".equals(user) || !validUsers.contains(user)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 121 35 12 equals 1 121 if ("Guest".equals(user) || !validUsers.contains(user)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 121 42 13 || 2 121 if ("Guest".equals(user) || !validUsers.contains(user)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 112 103 1 accessToken 11 112 public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 114 33 2 accessToken 11 114 if (StringUtils.isEmpty(accessToken)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 114 32 3 isEmpty 1 114 if (StringUtils.isEmpty(accessToken)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 136 125 1 accessToken 11 136

    public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 137 33 2 accessToken 11 137 if (StringUtils.isEmpty(accessToken)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 137 32 3 isEmpty 1 137 if (StringUtils.isEmpty(accessToken)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 158 98 1 accessToken 11 158 public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 159 33 2 accessToken 11 159 if (StringUtils.isEmpty(accessToken)) { webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 159 32 3 isEmpty 1 159 if (StringUtils.isEmpty(accessToken)) { webgoat-lessons/jwt/src/main/resources/html/JWT.html 8 22 1 load 1 8 $("#secrettoken").load('/WebGoat/JWT/secret/gettoken'); webgoat-lessons/crypto/src/main/resources/html/Crypto.html 10 19 1 load 1 10 $("#sha256token").load('/WebGoat/crypto/hashing/sha256'); webgoat-lessons/crypto/src/main/resources/html/Crypto.html 11 16 1 load 1 11 $("#md5token").load('/WebGoat/crypto/hashing/md5'); webgoat-lessons/crypto/src/main/resources/html/Crypto.html 12 22 1 load 1 12 $("#basicauthtoken").load('/WebGoat/crypto/encoding/basic'); webgoat-lessons/crypto/src/main/resources/html/Crypto.html 13 18 1 load 1 13 $("#privatekey").load('/WebGoat/crypto/signing/getprivate'); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 168 26 1 FileInputStream 3 168 InputStream is = new FileInputStream(f); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 168 21 2 is 2 168 InputStream is = new FileInputStream(f); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 170 9 3 is 2 170 is.close(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 170 17 4 close 1 170 is.close(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 183 26 1 FileInputStream 3 183 InputStream is = new FileInputStream(f); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 183 21 2 is 2 183 InputStream is = new FileInputStream(f); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 185 9 3 is 2 185 is.close(); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 185 17 4 close 1 185 is.close(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 29 34 1 ObjectOutputStream 3 29 ObjectOutputStream oos = new ObjectOutputStream(baos); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 29 28 2 oos 3 29 ObjectOutputStream oos = new ObjectOutputStream(baos); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 30 9 3 oos 3 30 oos.writeObject(o); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 31 9 4 oos 3 31 oos.close(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 31 18 5 close 1 31 oos.close(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 37 32 1 DataOutputStream 3 37 DataOutputStream dos = new DataOutputStream(baos); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 37 26 2 dos 3 37 DataOutputStream dos = new DataOutputStream(baos); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 38 9 3 dos 3 38 dos.writeLong(-8699352886133051976L); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 39 9 4 dos 3 39 dos.close(); webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java 39 18 5 close 1 39 dos.close(); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 85 57 1 getResourceAsStream 1 85 var inputStream = getClass().getResourceAsStream("/images/account.png"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 85 13 2 inputStream 11 85 var inputStream = getClass().getResourceAsStream("/images/account.png"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 88 80 3 inputStream 11 88 .body(Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream))); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 31 1 read 1 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 41 2 != 2 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 154 32 3 read 4 154 md5.update(buffer, read); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 350 43 4 length 6 350 public void update(byte buffer[], int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 351 27 5 length 6 351 update(buffer, 0, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 336 55 6 length 6 336 public void update(byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 337 46 7 length 6 337 update(workingState, buffer, offset, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 288 72 8 length 6 288 private void update(MD5State state, byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 27 9 length 6 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 14 10 bitCount 1 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 310 23 11 state 5 310 transform(state, decode(state.buffer, 64, 0)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 606 44 12 state 5 606 private static void transform(MD5State state, int[] x) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 22 13 state 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 13 14 a 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 613 16 15 a 1 613 a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */ webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 532 31 16 a 1 532 private static int FF(int a, int b, int c, int d, int x, int s, int ac) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 14 17 a 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 22 18 | 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 11 19 AssignExpr 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 49 38 1 args 4 49 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 67 2 element 7 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 58 3 File 3 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 182 45 4 f 1 182 public static String getHashString(File f) throws IOException { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 184 37 5 is 2 184 String hash = getHashString(is); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 149 52 6 in 2 149 public static String getHashString(InputStream in) throws IOException { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 24 7 in 2 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 31 8 read 1 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 41 9 != 2 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 154 32 10 read 4 154 md5.update(buffer, read); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 350 43 11 length 6 350 public void update(byte buffer[], int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 351 27 12 length 6 351 update(buffer, 0, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 336 55 13 length 6 336 public void update(byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 337 46 14 length 6 337 update(workingState, buffer, offset, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 288 72 15 length 6 288 private void update(MD5State state, byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 27 16 length 6 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 14 17 bitCount 1 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 310 23 18 state 5 310 transform(state, decode(state.buffer, 64, 0)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 606 44 19 state 5 606 private static void transform(MD5State state, int[] x) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 22 20 state 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 13 21 a 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 613 16 22 a 1 613 a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */ webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 532 31 23 a 1 532 private static int FF(int a, int b, int c, int d, int x, int s, int ac) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 14 24 a 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 22 25 | 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 11 26 AssignExpr 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 31 1 read 1 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 41 2 != 2 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 136 32 3 read 4 136 md5.update(buffer, read); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 350 43 4 length 6 350 public void update(byte buffer[], int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 351 27 5 length 6 351 update(buffer, 0, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 336 55 6 length 6 336 public void update(byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 337 46 7 length 6 337 update(workingState, buffer, offset, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 288 72 8 length 6 288 private void update(MD5State state, byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 27 9 length 6 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 14 10 bitCount 1 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 310 23 11 state 5 310 transform(state, decode(state.buffer, 64, 0)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 606 44 12 state 5 606 private static void transform(MD5State state, int[] x) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 22 13 state 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 13 14 a 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 613 16 15 a 1 613 a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */ webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 532 31 16 a 1 532 private static int FF(int a, int b, int c, int d, int x, int s, int ac) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 14 17 a 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 22 18 | 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 11 19 AssignExpr 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 31 1 read 1 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 41 2 != 2 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 154 32 3 read 4 154 md5.update(buffer, read); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 350 43 4 length 6 350 public void update(byte buffer[], int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 351 27 5 length 6 351 update(buffer, 0, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 336 55 6 length 6 336 public void update(byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 337 46 7 length 6 337 update(workingState, buffer, offset, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 288 72 8 length 6 288 private void update(MD5State state, byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 27 9 length 6 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 14 10 bitCount 1 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 310 23 11 state 5 310 transform(state, decode(state.buffer, 64, 0)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 606 44 12 state 5 606 private static void transform(MD5State state, int[] x) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 22 13 state 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 13 14 a 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 613 16 15 a 1 613 a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */ webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 532 31 16 a 1 532 private static int FF(int a, int b, int c, int d, int x, int s, int ac) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 14 17 a 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 22 18 | 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 11 19 AssignExpr 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 49 38 1 args 4 49 public static void main(String[] args) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 67 2 element 7 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 55 58 3 File 3 55 System.out.println(MD5.getHashString(new File(element)) + " " + element); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 182 45 4 f 1 182 public static String getHashString(File f) throws IOException { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 184 37 5 is 2 184 String hash = getHashString(is); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 149 52 6 in 2 149 public static String getHashString(InputStream in) throws IOException { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 24 7 in 2 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 31 8 read 1 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 153 41 9 != 2 153 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 154 32 10 read 4 154 md5.update(buffer, read); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 350 43 11 length 6 350 public void update(byte buffer[], int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 351 27 12 length 6 351 update(buffer, 0, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 336 55 13 length 6 336 public void update(byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 337 46 14 length 6 337 update(workingState, buffer, offset, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 288 72 15 length 6 288 private void update(MD5State state, byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 27 16 length 6 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 14 17 bitCount 1 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 310 23 18 state 5 310 transform(state, decode(state.buffer, 64, 0)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 606 44 19 state 5 606 private static void transform(MD5State state, int[] x) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 22 20 state 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 13 21 a 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 613 16 22 a 1 613 a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */ webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 532 31 23 a 1 532 private static int FF(int a, int b, int c, int d, int x, int s, int ac) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 14 24 a 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 22 25 | 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 11 26 AssignExpr 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 31 1 read 1 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 135 41 2 != 2 135 while ((read = in.read(buffer)) != -1) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 136 32 3 read 4 136 md5.update(buffer, read); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 350 43 4 length 6 350 public void update(byte buffer[], int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 351 27 5 length 6 351 update(buffer, 0, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 336 55 6 length 6 336 public void update(byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 337 46 7 length 6 337 update(workingState, buffer, offset, length); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 288 72 8 length 6 288 private void update(MD5State state, byte buffer[], int offset, int length) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 27 9 length 6 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 303 14 10 bitCount 1 303 state.bitCount += length << 3; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 310 23 11 state 5 310 transform(state, decode(state.buffer, 64, 0)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 606 44 12 state 5 606 private static void transform(MD5State state, int[] x) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 22 13 state 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 607 13 14 a 1 607 int a = state.state[0]; webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 613 16 15 a 1 613 a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */ webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 532 31 16 a 1 532 private static int FF(int a, int b, int c, int d, int x, int s, int ac) { webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 14 17 a 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 22 18 | 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java 537 11 19 AssignExpr 1 537 a = (a << s) | (a >>> (32 - s)); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 57 52 1 ""MD5"" 5 57 MessageDigest md = MessageDigest.getInstance("MD5"); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 57 51 2 getInstance 1 57 MessageDigest md = MessageDigest.getInstance("MD5"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 67 37 1 shaHex 1 67 if (Sha512DigestUtils.shaHex(getWebSession().getUserName()).equalsIgnoreCase(secret)) { webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java 62 95 1 shaHex 1 62 mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test"))) webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 48 89 1 userId 6 48 public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 49 13 2 userId 6 49 if (userId.contains(" ")) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java 52 62 3 userId 6 52 AttackResult attackResult = lesson6a.injectableQuery(userId); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 4 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 5 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 6 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 119 7 query 5 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 96 8 output 1 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 51 56 1 userid_6a 9 51 public AttackResult completed(@RequestParam String userid_6a) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 52 32 2 userid_6a 9 52 return injectableQuery(userid_6a); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 56 48 3 accountName 11 56 public AttackResult injectableQuery(String accountName) { webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 69 4 accountName 11 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 60 13 5 query 5 60 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 119 6 query 5 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 96 7 output 1 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java 89 96 13 output 1 89

                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 116 1 text 4 45

    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 70 2 text 4 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 39 3 format 1 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 46 16 4 logLine 7 46 String logLine = String.format("%s %s %s", "GET", userAgent, text); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 47 19 5 logLine 7 47 log.debug(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 47 18 6 debug 1 47 log.debug(logLine); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 45 66 1 userAgent 9 45

    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {

    public AttackResult completed(HttpServletRequest request, @RequestParam String modulus, @RequestParam String signature) {

webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 75 37 2 modulus 7 75 log.warn("modulus {} incorrect", modulus); webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java 75 12 3 warn 1 75 log.warn("modulus {} incorrect", modulus); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 99 32 1 cookie 6 99 response.addCookie(cookie); webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java 104 32 1 cookie 6 104 response.addCookie(cookie); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 67 27 2 results 7 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 70 49 3 getString 1 70 password = results.getString("password"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 70 21 4 password 8 70 password = results.getString("password"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 67 59 1 executeQuery 1 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 67 27 2 results 7 67 ResultSet results = statement.executeQuery(query); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 70 49 3 getString 1 70 password = results.getString("password"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 70 21 4 password 8 70 password = results.getString("password"); webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java 80 17 5 password 8 80 return (password); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 79 76 1 link 4 79 public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) { webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 83 31 2 link 4 83 form.setResetLink(link); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 83 30 3 setResetLink 1 83 form.setResetLink(link); webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java 85 44 4 form 4 85 modelAndView.addObject("form", form); webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java 85 52 1 fmt 3 85 review.setDateTime(DateTime.now().toString(fmt)); __MACOSX/webgoat-lessons/auth-bypass/src/main/resources/html/._AuthBypass.html 1 1 1 CxJSNS_425095432 0 webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 26 50 1 file 4 26 protected AttackResult execute(MultipartFile file, String fullName) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 27 13 2 file 4 27 if (file.isEmpty()) { webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 43 32 3 file 4 43 FileCopyUtils.copy(file.getBytes(), uploadedFile); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 43 45 4 getBytes 1 43 FileCopyUtils.copy(file.getBytes(), uploadedFile); webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html 73 9 1 <a href="/WebGoat/WebWolf/landing/password-reset" target="_blank"> 66 73 <a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a> webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html 73 9 1 <a href="/WebGoat/WebWolf/landing/password-reset" target="_blank"> 66 73 <a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a> webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java 58 13 1 try 3 58 try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) { webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java 57 51 1 getInstance 1 57 MessageDigest md = MessageDigest.getInstance("MD5"); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 57 63 1 ""/ClientSideFiltering"" 22 57 File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering"); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 57 32 2 File 3 57 File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering"); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 72 49 1 ""ClientSideFiltering/employees.xml"" 35 72 File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml"); webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java 72 18 2 File 3 72 File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 34 67 1 ""/PathTraversal/"" 17 34 var uploadDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 34 31 2 File 3 34 var uploadDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 67 75 1 ""/PathTraversal/"" 17 67 var profilePictureDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java 67 39 2 File 3 67 var profilePictureDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName()); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 43 68 1 ""/PathTraversal/"" 17 43 this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 43 37 2 File 3 43 this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 43 88 1 ""/cats"" 7 43 this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats"); webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java 43 37 2 File 3 43 this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 65 63 1 ""/XXE"" 6 65 File targetDirectory = new File(webGoatHomeDirectory, "/XXE"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java 65 32 2 File 3 65 File targetDirectory = new File(webGoatHomeDirectory, "/XXE"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 48 55 1 ""/XXE/log"" 10 48 File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt"); webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java 48 24 2 File 3 48 File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 79 58 1 ""/XXE/secret.txt"" 17 79 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 79 27 2 File 3 79 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 103 58 1 ""/XXE/secret.txt"" 17 103 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java 103 27 2 File 3 103 File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");