webgoats

.gitignore

@@ -0,0 +1,14 @@
+# Project Files #
+#################
+*.userprefs
+*.pidb
+*swp
+bin
+obj
+WebGoat/App_Data/*.txt
+*.sqlite*
+WebGoat/Configuration/*.config
+
+# Trash Files #
+###############
+.DS_Store

Backup/WebGoat.NET.sln

@@ -0,0 +1,212 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebGoat.NET", "WebGoat\WebGoat.NET.csproj", "{83B04441-0F79-4424-AAD0-46E0C3CDDAA1}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{83B04441-0F79-4424-AAD0-46E0C3CDDAA1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{83B04441-0F79-4424-AAD0-46E0C3CDDAA1}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{83B04441-0F79-4424-AAD0-46E0C3CDDAA1}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{83B04441-0F79-4424-AAD0-46E0C3CDDAA1}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(MonoDevelopProperties) = preSolution
+		StartupItem = WebGoat\WebGoat.NET.csproj
+		Policies = $0
+		$0.DotNetNamingPolicy = $1
+		$1.DirectoryNamespaceAssociation = PrefixedFlat
+		$1.ResourceNamePolicy = FileFormatDefault
+		$0.StandardHeader = $2
+		$2.Text = 
+		$2.IncludeInNewFiles = True
+		$0.TextStylePolicy = $3
+		$3.inheritsSet = null
+		$3.scope = text/x-csharp
+		$0.CSharpFormattingPolicy = $4
+		$4.IndentSwitchBody = True
+		$4.AnonymousMethodBraceStyle = NextLine
+		$4.PropertyBraceStyle = DoNotChange
+		$4.PropertyGetBraceStyle = DoNotChange
+		$4.PropertySetBraceStyle = DoNotChange
+		$4.EventAddBraceStyle = NextLine
+		$4.EventRemoveBraceStyle = NextLine
+		$4.StatementBraceStyle = NextLine
+		$4.ElseNewLinePlacement = NewLine
+		$4.CatchNewLinePlacement = NewLine
+		$4.FinallyNewLinePlacement = NewLine
+		$4.BeforeMethodDeclarationParentheses = False
+		$4.BeforeMethodCallParentheses = False
+		$4.BeforeConstructorDeclarationParentheses = False
+		$4.NewParentheses = False
+		$4.SpacesBeforeBrackets = False
+		$4.inheritsSet = Mono
+		$4.inheritsScope = text/x-csharp
+		$4.scope = text/x-csharp
+		$0.TextStylePolicy = $5
+		$5.FileWidth = 120
+		$5.inheritsSet = VisualStudio
+		$5.inheritsScope = text/plain
+		$5.scope = text/plain
+		$0.NameConventionPolicy = $6
+		$6.Rules = $7
+		$7.NamingRule = $8
+		$8.Name = Namespaces
+		$8.AffectedEntity = Namespace
+		$8.VisibilityMask = VisibilityMask
+		$8.NamingStyle = PascalCase
+		$8.IncludeInstanceMembers = True
+		$8.IncludeStaticEntities = True
+		$7.NamingRule = $9
+		$9.Name = Types
+		$9.AffectedEntity = Class, Struct, Enum, Delegate
+		$9.VisibilityMask = VisibilityMask
+		$9.NamingStyle = PascalCase
+		$9.IncludeInstanceMembers = True
+		$9.IncludeStaticEntities = True
+		$7.NamingRule = $10
+		$10.Name = Interfaces
+		$10.RequiredPrefixes = $11
+		$11.String = I
+		$10.AffectedEntity = Interface
+		$10.VisibilityMask = VisibilityMask
+		$10.NamingStyle = PascalCase
+		$10.IncludeInstanceMembers = True
+		$10.IncludeStaticEntities = True
+		$7.NamingRule = $12
+		$12.Name = Attributes
+		$12.RequiredSuffixes = $13
+		$13.String = Attribute
+		$12.AffectedEntity = CustomAttributes
+		$12.VisibilityMask = VisibilityMask
+		$12.NamingStyle = PascalCase
+		$12.IncludeInstanceMembers = True
+		$12.IncludeStaticEntities = True
+		$7.NamingRule = $14
+		$14.Name = Event Arguments
+		$14.RequiredSuffixes = $15
+		$15.String = EventArgs
+		$14.AffectedEntity = CustomEventArgs
+		$14.VisibilityMask = VisibilityMask
+		$14.NamingStyle = PascalCase
+		$14.IncludeInstanceMembers = True
+		$14.IncludeStaticEntities = True
+		$7.NamingRule = $16
+		$16.Name = Exceptions
+		$16.RequiredSuffixes = $17
+		$17.String = Exception
+		$16.AffectedEntity = CustomExceptions
+		$16.VisibilityMask = VisibilityMask
+		$16.NamingStyle = PascalCase
+		$16.IncludeInstanceMembers = True
+		$16.IncludeStaticEntities = True
+		$7.NamingRule = $18
+		$18.Name = Methods
+		$18.AffectedEntity = Methods
+		$18.VisibilityMask = VisibilityMask
+		$18.NamingStyle = PascalCase
+		$18.IncludeInstanceMembers = True
+		$18.IncludeStaticEntities = True
+		$7.NamingRule = $19
+		$19.Name = Static Readonly Fields
+		$19.AffectedEntity = ReadonlyField
+		$19.VisibilityMask = Internal, Protected, Public
+		$19.NamingStyle = PascalCase
+		$19.IncludeInstanceMembers = False
+		$19.IncludeStaticEntities = True
+		$7.NamingRule = $20
+		$20.Name = Fields (Non Private)
+		$20.AffectedEntity = Field
+		$20.VisibilityMask = Internal, Protected, Public
+		$20.NamingStyle = PascalCase
+		$20.IncludeInstanceMembers = True
+		$20.IncludeStaticEntities = True
+		$7.NamingRule = $21
+		$21.Name = ReadOnly Fields (Non Private)
+		$21.AffectedEntity = ReadonlyField
+		$21.VisibilityMask = Internal, Protected, Public
+		$21.NamingStyle = PascalCase
+		$21.IncludeInstanceMembers = True
+		$21.IncludeStaticEntities = False
+		$7.NamingRule = $22
+		$22.Name = Fields (Private)
+		$22.AllowedPrefixes = $23
+		$23.String = _
+		$23.String = m_
+		$22.AffectedEntity = Field, ReadonlyField
+		$22.VisibilityMask = Private
+		$22.NamingStyle = CamelCase
+		$22.IncludeInstanceMembers = True
+		$22.IncludeStaticEntities = False
+		$7.NamingRule = $24
+		$24.Name = Static Fields (Private)
+		$24.AffectedEntity = Field
+		$24.VisibilityMask = Private
+		$24.NamingStyle = CamelCase
+		$24.IncludeInstanceMembers = False
+		$24.IncludeStaticEntities = True
+		$7.NamingRule = $25
+		$25.Name = ReadOnly Fields (Private)
+		$25.AllowedPrefixes = $26
+		$26.String = _
+		$26.String = m_
+		$25.AffectedEntity = ReadonlyField
+		$25.VisibilityMask = Private
+		$25.NamingStyle = CamelCase
+		$25.IncludeInstanceMembers = True
+		$25.IncludeStaticEntities = False
+		$7.NamingRule = $27
+		$27.Name = Constant Fields
+		$27.AffectedEntity = ConstantField
+		$27.VisibilityMask = VisibilityMask
+		$27.NamingStyle = PascalCase
+		$27.IncludeInstanceMembers = True
+		$27.IncludeStaticEntities = True
+		$7.NamingRule = $28
+		$28.Name = Properties
+		$28.AffectedEntity = Property
+		$28.VisibilityMask = VisibilityMask
+		$28.NamingStyle = PascalCase
+		$28.IncludeInstanceMembers = True
+		$28.IncludeStaticEntities = True
+		$7.NamingRule = $29
+		$29.Name = Events
+		$29.AffectedEntity = Event
+		$29.VisibilityMask = VisibilityMask
+		$29.NamingStyle = PascalCase
+		$29.IncludeInstanceMembers = True
+		$29.IncludeStaticEntities = True
+		$7.NamingRule = $30
+		$30.Name = Enum Members
+		$30.AffectedEntity = EnumMember
+		$30.VisibilityMask = VisibilityMask
+		$30.NamingStyle = PascalCase
+		$30.IncludeInstanceMembers = True
+		$30.IncludeStaticEntities = True
+		$7.NamingRule = $31
+		$31.Name = Parameters
+		$31.AffectedEntity = Parameter
+		$31.VisibilityMask = VisibilityMask
+		$31.NamingStyle = CamelCase
+		$31.IncludeInstanceMembers = True
+		$31.IncludeStaticEntities = True
+		$7.NamingRule = $32
+		$32.Name = Type Parameters
+		$32.RequiredPrefixes = $33
+		$33.String = T
+		$32.AffectedEntity = TypeParameter
+		$32.VisibilityMask = VisibilityMask
+		$32.NamingStyle = PascalCase
+		$32.IncludeInstanceMembers = True
+		$32.IncludeStaticEntities = True
+		$0.TextStylePolicy = $34
+		$34.inheritsSet = null
+		$34.scope = application/x-ashx
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Backup/WebGoat/AddNewUser.aspx

@@ -0,0 +1,58 @@
+<%@ Page Title="" Language="C#" MasterPageFile="~/Resources/Master-Pages/Site.Master" AutoEventWireup="true" CodeBehind="AddNewUser.aspx.cs" Inherits="OWASP.WebGoat.NET.AddNewUser" %>
+<asp:Content ID="Content1" ContentPlaceHolderID="HeadContentPlaceHolder" runat="server">
+
+</asp:Content>
+
+<asp:Content ID="Content3" ContentPlaceHolderID="HelpContentPlaceholder" runat="server">
+    This page allows you to add a new user
+</asp:Content>
+
+
+<asp:Content ID="Content2" ContentPlaceHolderID="BodyContentPlaceholder" runat="server">
+<h1 class="title-regular-4 clearfix">Add New User</h1>
+	<%-- 
+    <p>
+        <asp:CreateUserWizard ID="RegisterUser" runat="server" 
+            CancelDestinationPageUrl="~/Default.aspx" 
+            ContinueDestinationPageUrl="~/Default.aspx" DisplayCancelButton="True"
+            oncreatinguser="RegisterUser_CreatingUser">
+            <WizardSteps>
+                <asp:CreateUserWizardStep ID="CreateUserWizardStep1" runat="server" />
+                <asp:CompleteWizardStep ID="CompleteWizardStep1" runat="server" />
+            </WizardSteps>
+        </asp:CreateUserWizard>
+    </p>
+    --%>
+    <p>
+        <asp:Label runat="server" id="InvalidUserNameOrPasswordMessage" Visible="false" EnableViewState="false" ForeColor="Red"></asp:Label>
+    </p>
+
+    <p>
+    <table>
+    <tr>
+        <td>Enter a username: </td>
+        <td><asp:TextBox ID="Username" runat="server"></asp:TextBox></td>
+
+    </tr>
+    <tr>
+        <td>Choose a password:</td>
+        <td><asp:TextBox ID="Password" TextMode="Password" runat="server"></asp:TextBox></td>
+    </tr>
+    <tr>    
+        <td>Enter your email address:</td>
+        <td><asp:TextBox ID="Email" runat="server"></asp:TextBox></td>
+    </tr>
+    <tr>
+        <td><asp:Label runat="server" ID="SecurityQuestion"></asp:Label>: </td>
+        <td><asp:TextBox ID="SecurityAnswer" runat="server"></asp:TextBox> </td>
+    </tr>
+    </table>          
+   	<p/>
+        <asp:Button ID="CreateAccountButton" runat="server" 
+            Text="Create the User Account" onclick="CreateAccountButton_Click" />
+    </p>
+    <p>
+        <asp:Label ID="CreateAccountResults" runat="server"></asp:Label>
+    </p>    
+</asp:Content>
+

Backup/WebGoat/AddNewUser.aspx.cs

@@ -0,0 +1,100 @@
+using System;
+using System.Collections;
+using System.Configuration;
+using System.Data;
+using System.Linq;
+using System.Web;
+using System.Web.Security;
+using System.Web.UI;
+using System.Web.UI.HtmlControls;
+using System.Web.UI.WebControls;
+using System.Web.UI.WebControls.WebParts;
+
+namespace OWASP.WebGoat.NET
+{
+	public partial class AddNewUser : System.Web.UI.Page
+	{
+		const string passwordQuestion = "What is your favorite color";
+
+	    protected void Page_Load(object sender, EventArgs e)
+	    {
+	        if (!Page.IsPostBack)
+	            SecurityQuestion.Text = passwordQuestion;
+	    }
+
+	    protected void CreateAccountButton_Click(object sender, EventArgs e)
+	    {
+	        MembershipCreateStatus createStatus;
+
+	        MembershipUser newUser = 
+	             Membership.CreateUser(Username.Text, Password.Text,
+	                                   Email.Text, passwordQuestion,
+	                                   SecurityAnswer.Text, true,
+	                                   out createStatus);
+
+			if(newUser == null)
+				Console.WriteLine("New User is null!");
+
+	        switch (createStatus)
+	        {
+	            case MembershipCreateStatus.Success:
+	                CreateAccountResults.Text = "The user account was successfully created!";
+	                break;
+
+	            case MembershipCreateStatus.DuplicateUserName:
+	                CreateAccountResults.Text = "There already exists a user with this username.";
+	                break;
+
+	            case MembershipCreateStatus.DuplicateEmail:
+	                CreateAccountResults.Text = "There already exists a user with this email address.";
+	                break;
+
+	            case MembershipCreateStatus.InvalidEmail:
+	                CreateAccountResults.Text = "There email address you provided in invalid.";
+	                break;
+
+	            case MembershipCreateStatus.InvalidAnswer:
+	                CreateAccountResults.Text = "There security answer was invalid.";
+	                break;
+
+	            case MembershipCreateStatus.InvalidPassword:
+	                CreateAccountResults.Text = "The password you provided is invalid. It must be seven characters long and have at least one non-alphanumeric character.";
+	                break;
+
+	            default:
+	                CreateAccountResults.Text = "There was an unknown error; the user account was NOT created.";
+	                break;
+	        }
+	    }
+
+	    protected void RegisterUser_CreatingUser(object sender, LoginCancelEventArgs e)
+	    {
+	    	/*
+	        string trimmedUserName = RegisterUser.UserName.Trim();
+	        if (RegisterUser.UserName.Length != trimmedUserName.Length)
+	        {
+	            // Show the error message
+	            InvalidUserNameOrPasswordMessage.Text = "The username cannot contain leading or trailing spaces.";
+	            InvalidUserNameOrPasswordMessage.Visible = true;
+	
+	            // Cancel the create user workflow
+	            e.Cancel = true;
+	        }
+	        else
+	        {
+	            // Username is valid, make sure that the password does not contain the username
+	            if (RegisterUser.Password.IndexOf(RegisterUser.UserName, StringComparison.OrdinalIgnoreCase) >= 0)
+	            {
+	                // Show the error message
+	                InvalidUserNameOrPasswordMessage.Text = "The username may not appear anywhere in the password.";
+	                InvalidUserNameOrPasswordMessage.Visible = true;
+	
+	                // Cancel the create user workflow
+	                e.Cancel = true;
+	            }
+	        }
+	        */
+		}
+	}
+}
+