From 036964495b0c1d404d3bd200be53434718ab1a1f Mon Sep 17 00:00:00 2001 From: "sherif.fathy" Date: Thu, 11 Jan 2007 05:14:09 +0000 Subject: [PATCH] Fixed comments by Bruce git-svn-id: http://webgoat.googlecode.com/svn/trunk@59 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../org/owasp/webgoat/lessons/CSRF.java | 14 +++++++------- .../org/owasp/webgoat/lessons/DOMInjection.java | 3 +-- .../owasp/webgoat/lessons/ForcedBrowsing.java | 7 +++---- .../owasp/webgoat/lessons/HttpSplitting.java | 8 ++++++-- .../owasp/webgoat/lessons/JSONInjection.java | 3 +++ .../org/owasp/webgoat/lessons/LogSpoofing.java | 3 +++ .../org/owasp/webgoat/lessons/NewLesson.java | 5 ++--- .../webgoat/lessons/SilentTransactions.java | 17 ++++++++++++++++- .../owasp/webgoat/lessons/XPATHInjection.java | 6 ++---- .../WebContent/lesson_plans/HttpSplitting.html | 12 ++++++------ .../lesson_plans/SilentTransactions.html | 2 +- webgoat/main/project/WebContent/webgoat.jsp | 4 ++-- 12 files changed, 52 insertions(+), 32 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java index 68f87ddee..0f7eaea7c 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java @@ -219,11 +219,7 @@ public class CSRF extends LessonAdapter { TR row2 = new TR( new TD( new B(new StringElement( "Message:" )) ) ); row2.addElement( new TD( new StringElement( messageData ) ) ); t.addElement( row2 ); - - // Edited by Chuck Willis - added display of the user who posted the message, so that - // if users use a cross site request forgery or XSS to make another user post a message, - // they can see that the message is attributed to that user - + TR row3 = new TR( new TD( new StringElement( "Posted By:" ) ) ); row3.addElement( new TD( new StringElement( results.getString( USER_COL ) ) ) ); t.addElement( row3 ); @@ -268,8 +264,8 @@ public class CSRF extends LessonAdapter { hints.add( "Enter some text and try to include an image in there." ); hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); hints.add( "The format of an image in html is 
<img src=\"[URL]\" width=\"1\" height=\"1\" />
"); - hints.add( "Include this URL in the message 
<img src='http://localhost:8080/WebGoat/attack?"+
-			        "&Screen=" + String.valueOf(getScreenId()) +
+		hints.add( "Include this URL in the message 
<img src='http://localhost/WebGoat/attack?"+
+			        "Screen=" + String.valueOf(getScreenId()) +
 			        "&menu=" + getDefaultCategory().getRanking().toString() +
 			        "&transferFunds=5000' width=\"1\" height=\"1\" />
");
 		
@@ -296,4 +292,8 @@ public class CSRF extends LessonAdapter {
 		return nameroot;
 	}
 
+	public Element getCredits() {
+		return new StringElement("Created by Sherif Koussa");
+	}
+	
 }
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
index 0e1eef35d..89d4c035b 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java	
@@ -111,8 +111,7 @@ public class DOMInjection extends LessonAdapter {
 	}
 
 	public Element getCredits() {
-
-		return new StringElement("This screen created by: Sherif Koussa");
+		return new StringElement("Created by Sherif Koussa");
 	}
 
 	protected Category getDefaultCategory() {
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
index 55c2cb258..f52c4548b 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java	
@@ -98,7 +98,7 @@ public class ForcedBrowsing extends LessonAdapter
 		hints.add( "Try to guess the URL for the config page" );
 		hints.add( "The config page is guessable and hackable" );
 		hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." );
-		hints.add( "Try to navigate to http://localhost:8080/WebGoat/config" );
+		hints.add( "Try to navigate to http://localhost/WebGoat/config" );
 		return hints;
 	}
 
@@ -119,9 +119,8 @@ public class ForcedBrowsing extends LessonAdapter
 		return ( "Forced Browsing" );
 	}
 	
-	public Element getCredits()
-	{
-		return new StringElement("This screen created by: Sherif Koussa");
+	public Element getCredits() {
+		return new StringElement("Created by Sherif Koussa");
 	}
 }
 
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
index e04eb26e0..cb73b7ddb 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java	
@@ -152,7 +152,7 @@ public class HttpSplitting extends LessonAdapter {
 		try 
 		{
 			s.setMessage("Now that you have successfully performed an HTTP Splitting, now try to poison" +
-					" the victim's cache using. Type 'restart' in the input field if you wish to " +
+					" the victim's cache. Type 'restart' in the input field if you wish to " +
 					" to return to the HTTP Splitting lesson.

");
 			if ( s.getParser().getRawParameter( LANGUAGE, "YOUR_NAME" ).equals("restart"))
 			{
@@ -206,7 +206,7 @@ public class HttpSplitting extends LessonAdapter {
 		hints.add( "Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date." );
 		hints.add( "Try language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>" );
 		hints.add( "'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
-		hints.add( "Try to intercept the reply and add HTTP/1.1 304 Not Modified0d%0aDate:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT");
+		hints.add( "Try to intercept the reply and add HTTP/1.1 304 Not Modified0d%0aDate:%20Mon,%2027%20Oct%202030%2014:50:18%20GMT");
 		return hints;
 	
 	}
@@ -228,4 +228,8 @@ public class HttpSplitting extends LessonAdapter {
 		return ( "HTTP Splitting" );
 	}
 
+	public Element getCredits() {
+		return new StringElement("Created by Sherif Koussa");
+	}
+
 }
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
index f9ff8a44b..7fd1e0102 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java	
@@ -216,5 +216,8 @@ public class JSONInjection extends LessonAdapter {
 		return ( "JSON Injection" );
 	}
 
+	public Element getCredits() {
+		return new StringElement("Created by Sherif Koussa");
+	}
 
 }
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
index 3eacc29c3..44ec827fc 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java	
@@ -120,4 +120,7 @@ public class LogSpoofing extends LessonAdapter {
 		return AbstractLesson.A6;
 	}
 
+	public Element getCredits() {
+		return new StringElement("Created by Sherif Koussa");
+	}
 }
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java
index 28b4a0d7e..85ee2937b 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java	
@@ -55,9 +55,8 @@ public class NewLesson extends LessonAdapter
 		return ( "How to add a new WebGoat lesson" );
 	}
 
-	public Element getCredits()
-	{
-		return new StringElement("This screen created by: Sherif Koussa");
+	public Element getCredits() {
+		return new StringElement("Created by Sherif Koussa");
 	}
 }
 
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
index f5a6e4796..9eb89b2d9 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java	
@@ -41,12 +41,24 @@ public class SilentTransactions extends LessonAdapter {
 			{
 				if (s.getParser().getRawParameter( "confirm", "").equals("Confirm"))
 				{
+					String amount = s.getParser().getRawParameter( "amount", "");
 					s.getResponse().setContentType("text/html");
 					s.getResponse().setHeader("Cache-Control", "no-cache");
 					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
-					out.print("

* Congratulations. You have successfully completed this lesson.");	
+					StringBuffer result =  new StringBuffer();
+					result.append("

* Congratulations. You have successfully completed this lesson.
");
+					if (!amount.equals(""))
+					{
+						result.append("You have just silently authorized ");
+						result.append(amount);
+						result.append("$ without the user interaction.
");
+					}
+					result.append("Now you can send out a spam email containing this link and whoever clicks on it
");
+					result.append(" and happens to be logged in the same time will loose their money !!");
+					out.print(result.toString());	
 					out.flush();
 					out.close();
+					getLessonTracker(s).setCompleted(true);
 					return;
 				}
 				else if (s.getParser().getRawParameter( "confirm", "").equals("Transferring"))
@@ -217,5 +229,8 @@ public class SilentTransactions extends LessonAdapter {
 		return ( "Silent Transactions Attacks" );
 	}
 
+	public Element getCredits() {
+		return new StringElement("Created by Sherif Koussa");
+	}
 
 }
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java
index 03cd13981..21025811f 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java	
@@ -163,11 +163,9 @@ public class XPATHInjection extends LessonAdapter {
 	}
 
 	public Element getCredits() {
-		
-		return new StringElement("Sherif Koussa");
+		return new StringElement("Created by Sherif Koussa");
 	}
 
-
 	protected Category getDefaultCategory() {
 		
 		return AbstractLesson.A6;
@@ -189,7 +187,7 @@ public class XPATHInjection extends LessonAdapter {
 		hints.add( "Remember that the data is stored in XML format." );
 		hints.add( "The system is using XPath to query." );
 		hints.add( "XPath is almost the same thing as SQL, the same hacking techniques apply too." );
-		hints.add( "Try username: Smtih' or 1=1 or 'a'='a and a password: anything " );
+		hints.add( "Try username: Smith' or 1=1 or 'a'='a and a password: anything " );
 		return hints;
 	}
 
diff --git a/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html b/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html
index 283783705..7d00ff74d 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html	
+++ b/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html	
@@ -14,18 +14,18 @@ A victim application will not be checking for CR (carriage return, also given by
 and LF (line feed, also given by %0a or \n)characters. These characters not only give attackers control 
 of the remaining headers and body of the response the application intends to send, 
 but also allows them to create additional responses entirely under their control.

-The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisining. The goal of

-Cache Poisining attack is to poison the cache of the victim by fooling the cache to believe that the page

+The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisining. The goal of
+Cache Poisining attack is to poison the cache of the victim by fooling the cache to believe that the page
 hijacked using the HTTP splitting is a good one and it is indeed the server's copy.

-The attack happens using the HTTP Splitting attack plus adding the Last-Modified: header and setting it

-to a future date. This will force the browser to send If-Modified-Since request header, which gives the attacker

+The attack happens using the HTTP Splitting attack plus adding the Last-Modified: header and setting it
+to a future date. This will force the browser to send If-Modified-Since request header, which gives the attacker
 the chance to intercept the server's reply and replace it with a '304 Not Modified' reply. A sample of a 304 response is:

-HTTP/1.1 304 Not Modified 
+HTTP/1.1 304 Not Modified 

 Date: Fri, 30 Dec 2005 17:32:47 GMT
 
 
 
General Goal(s): 

 
 This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.

-Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your excercise should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage where you will find the lesson completed if you successfully exploited the attack.
+Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your excercise should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage and after stage 2 is exploited successfully you will find the green check in the left menu.
 
diff --git a/ webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html b/ webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html
index 7f052b18f..e7ae9f236 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html	
+++ b/ webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html	
@@ -13,7 +13,7 @@ Any system that silently processes transactions using a single submission is dan
 For example, if a normal web application allows a simple URL submission, a preset session attack will 
 allow the attacker to complete a transaction without the user’s authorization. 
 In Ajax, it gets worse: the transaction is silent; it happens with no user feedback on the page, 
-so an injected attack script may be able to steal money from the client without authorization.
+so an injected attack script may be able to steal money from the client without authorization.

 
 
General Goal(s): 

 
diff --git a/ webgoat/main/project/WebContent/webgoat.jsp b/ webgoat/main/project/WebContent/webgoat.jsp
index a9dd9adc4..d85af6ee7 100644
--- a/ webgoat/main/project/WebContent/webgoat.jsp	
+++ b/ webgoat/main/project/WebContent/webgoat.jsp	
@@ -51,7 +51,7 @@
                   
Documentation Contributer

                 
                 
-                  
Sherif Kousa

+                  
Sherif Koussa

                   
                   
Robert Sullivan

                   (http://www.unitedhealthgroup.com/) 

@@ -59,7 +59,7 @@
                 
                   
OWASP Autumn of Code

                   (http://www.owasp.org/) 

-                  
Sherif Kousa

+                  
Sherif Koussa