dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added 3 new lessons. Some strings are in the properties files, but not all. Modified CreateDB.java in order to create a new salaries table used by the new SQL injection lessons.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@390 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
chuck@securityfoundry.com
2009-10-30 04:53:19 +00:00
parent 1dc6c799a7
commit 1c02094545
5 changed files with 837 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
main/project/JavaSource/WebGoatLabels_english.properties
View File

@ -56,7 +56,7 @@ Refresh=Refresh
WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie.
WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password?
WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.
WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>.
WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names?
#RemoteAdminFlaw.java
@ -213,15 +213,28 @@ ThisAmountCharged=This amount will be charged to your credit card immediately.
HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server.
HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field.
HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to change the price of the TV from "
HiddenFieldTamperingHint32= to
# Modify data with SQL Injection
EnterUserid=Enter your userid:
SqlModifyDataHint1=You can use SQL Injection to execute more than one SQL statement.
SqlModifyDataHint2=Use a semicolon (;) to separate SQL statements.
SqlModifyDataHint3=Modify data using a SQL UPDATE Statement.
SqlModifyDataHint4=For details and examples for SQL UPDATE statements, see <A href=\"http://www.w3schools.com/SQl/sql_update.asp\">http://www.w3schools.com/SQl/sql_update.asp</A>
SqlModifyDataHint5=SOLUTION:<br/>foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith
# Modify data with SQL Injection
SqlAddDataHint1=You can use SQL Injection to execute more than one SQL statement.
SqlAddDataHint2=Use a semicolon (;) to separate SQL statements. You will also need to comment out some characters that come after the injection with a double hyphen (--).
SqlAddDataHint3=Modify data using a SQL INSERT Statement.
SqlAddDataHint4=For details and examples for SQL INSERT statements, see <A href=\"http://www.w3schools.com/SQl/sql_insert.asp\">http://www.w3schools.com/SQl/sql_insert.asp</A>
SqlAddDataHint5=SOLUTION:<br/>bar'; INSERT INTO salaries VALUES ('cwillis', 999999); --
# Bypass Html Field Restrictions
BypassHtmlFieldRestrictionsHint1=You must re-enable the disabled form field or manually add its parameter name to your request.
BypassHtmlFieldRestrictionsHint2=You can use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to intercept requests and make changes.
BypassHtmlFieldRestrictionsHint3=Rather than using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>, you could instead use the <A href=\"http://chrispederick.com/work/web-developer/\">Web Developer</a> and/or <A href=\"http://devels-playground.blogspot.com/\">Hackbar</a> Firefox extensions to complete this lesson.