diff --git a/main/project/JavaSource/org/owasp/webgoat/LessonSource.java b/main/project/JavaSource/org/owasp/webgoat/LessonSource.java index 20f4c1dc5..4d4468d6a 100644 --- a/main/project/JavaSource/org/owasp/webgoat/LessonSource.java +++ b/main/project/JavaSource/org/owasp/webgoat/LessonSource.java @@ -152,7 +152,7 @@ public class LessonSource extends HammerHead } } if (source == null) { return "Source code is not available. Contact " - + s.getWebgoatContext().getFeedbackAddress(); } + + s.getWebgoatContext().getFeedbackAddressHTML(); } return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, "Code Section Deliberately Omitted")); } @@ -175,7 +175,7 @@ public class LessonSource extends HammerHead } } if (source == null) { return "Solution is not available. Contact " - + s.getWebgoatContext().getFeedbackAddress(); } + + s.getWebgoatContext().getFeedbackAddressHTML(); } return (source); } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java index 7af2d7439..ae6ac7729 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java @@ -500,10 +500,13 @@ public abstract class AbstractLesson extends Screen implements Comparable" + + "Send this message to: " + + s.getWebgoatContext().getFeedbackAddress() + ""); } Html html = new Html(); @@ -530,10 +533,13 @@ public abstract class AbstractLesson extends Screen implements Comparable" + + "Send this message to: " + + s.getWebgoatContext().getFeedbackAddress() + ""); } Html html = new Html(); diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java b/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java index ddab664d2..d9939eb3b 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java @@ -73,7 +73,7 @@ public abstract class LessonAdapter extends AbstractLesson + "In fact, most lessons can be created by following the easy to use instructions in the " + "WebGoat User Guide.  " + "If you would prefer, send your lesson ideas to " - + getWebgoatContext().getFeedbackAddress())); + + getWebgoatContext().getFeedbackAddressHTML())); String fileName = s.getContext().getRealPath("doc/New Lesson Instructions.txt"); if (fileName != null) diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java index 55bf94133..14397ff65 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java @@ -101,7 +101,7 @@ public class ReportCardScreen extends LessonAdapter { ElementContainer ec = new ElementContainer(); ec.addElement(new StringElement("Comments and suggestions are welcome. " - + getWebgoatContext().getFeedbackAddress() + "

")); + + getWebgoatContext().getFeedbackAddressHTML() + "

")); return ec; } diff --git a/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java b/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java index 5a8f29fa6..49eb28d0d 100755 --- a/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java +++ b/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java @@ -34,7 +34,9 @@ public class WebgoatContext public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands"; - public final static String FEEDBACK_ADDRESS = "FeedbackAddress"; + public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML"; + + public final static String FEEDBACK_ADDRESS = "email"; public final static String DEBUG = "debug"; @@ -64,7 +66,9 @@ public class WebgoatContext private boolean codingExercises = false; - private String feedbackAddress = "webgoat@owasp.org"; + private String feedbackAddress = "webgoat@owasp.org"; + + private String feedbackAddressHTML = "webgoat@owasp.org"; private boolean isDebug = false; @@ -88,6 +92,8 @@ public class WebgoatContext defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS)); enterprise = "true".equals(getParameter(servlet, ENTERPRISE)); codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES)); + feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet, FEEDBACK_ADDRESS_HTML) + : feedbackAddressHTML; feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS) : feedbackAddress; showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); @@ -175,6 +181,11 @@ public class WebgoatContext return feedbackAddress; } + public String getFeedbackAddressHTML() + { + return feedbackAddressHTML; + } + public boolean isDebug() { return isDebug; diff --git a/main/project/WebContent/WEB-INF/web.xml b/main/project/WebContent/WEB-INF/web.xml index a7acfa348..ea46dea27 100755 --- a/main/project/WebContent/WEB-INF/web.xml +++ b/main/project/WebContent/WEB-INF/web.xml @@ -111,6 +111,15 @@ org.owasp.webgoat.HammerHead + + email + WebGoat@owasp.org + + The EMAIL address of the administrator to whom questions + and comments about this application should be addressed. + + + debug false diff --git a/main/project/WebContent/lesson_plans/TomcatSetup.html b/main/project/WebContent/lesson_plans/TomcatSetup.html index ef5f0dda9..f1b9d6241 100644 --- a/main/project/WebContent/lesson_plans/TomcatSetup.html +++ b/main/project/WebContent/lesson_plans/TomcatSetup.html @@ -78,7 +78,20 @@ only discussed the whitebox approach. You have to add following lines to the Hos

In this case only localhost, ip1 and ip2 are permitted to connect.

-

Users Configuration

+

WebGoat Default Users and Roles for Tomcat

+

+WebGoat requires the following users and roles to be configured in order for the application to run. +
+ 

+  >role rolename="webgoat_basic"/<
+  >role rolename="webgoat_admin"/<
+  >role rolename="webgoat_user"/<
+  >user username="webgoat" password="webgoat" roles="webgoat_admin"/<
+  >user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/<
+  >user username="guest" password="guest" roles="webgoat_user"/<
+
+

+

Adding Users

Usually using WebGoat you just use the user guest with the password guest. But maybe in laboratory you have made a setup with one server and a lot of @@ -93,8 +106,8 @@ Adding a user is straight forward. You can use the guest entry as an example. Th users should have the same role as the guest user. Add lines like this to the file: 

-	<user name="user1" password="password1" roles="webgoat_user"/>
-	<user name="user2" password="password2" roles="webgoat_user"/>
+	<user name="student1" password="password1" roles="webgoat_user"/>
+	<user name="student2" password="password2" roles="webgoat_user"/>
 	...
diff --git a/main/project/WebContent/lesson_plans/UsefulTools.html b/main/project/WebContent/lesson_plans/UsefulTools.html index 3368211ef..e56bfb74a 100644 --- a/main/project/WebContent/lesson_plans/UsefulTools.html +++ b/main/project/WebContent/lesson_plans/UsefulTools.html @@ -2,12 +2,11 @@

Useful Tools

-Below is a list of tools we've found useful in solving the WebGoat lessons. You will need WebScarab -to solve most of the lessons.

+Below is a list of tools we've found useful in solving the WebGoat lessons. You will need WebScarab or Paros to solve most of the lessons.

WebScarab:

Like WebGoat, WebScarab is a part of OWASP. -WebScarab is a framework for analyzing applications that +WebScarab is a proxy for analyzing applications that communicate using the HTTP and HTTPS protocols. Because WebScarab operates as an intercepting proxy, we can review and modify requests and responses.

@@ -22,7 +21,7 @@ Webpage:http://www.getfirebu

IEWatch:

-IEWatch is a tool to analyse HTTP and HTML for users of the Internet Explorer.

+IEWatch is a tool to analyze HTTP and HTML for users of the Internet Explorer.



Webpage:http://www.iewatch.com

@@ -37,7 +36,7 @@ Webpage:http://www.wireshark.

Scanner:

-There exist a lot of vulnerability scanner for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Here the links to two open source scanner.

+There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to two open source scanner.

Nessus:http://www.nessus.org
Paros:http://www.parosproxy.org

diff --git a/main/project/WebContent/main.jsp b/main/project/WebContent/main.jsp index 2ef7f6bd8..bc245e4a8 100644 --- a/main/project/WebContent/main.jsp +++ b/main/project/WebContent/main.jsp @@ -239,7 +239,11 @@ StringBuffer buildList = new StringBuffer();