A first attempt at internationalization of WebGoat. For complete internationalization WebGoat needs two things:
1. Every text passage/label that appears in lessons must independent of the current language set for WebGoat.
2. Every lesson plan and solutions must be translated for each supported language.
Number 1 is achieved by using webgoat/util/WebgoatI18N.java and by having every output routed through this piece of code. You no longer say hints.add("Lesson Hint 1"); or ....addElement("Shopping Cart")) but you in the lesson you say hints.add(WebGoatI18N.get("Lesson Hint1")) or ....addElement(WebGoatI18N.get("Shopping Cart"). Then WebGoatI18N looks up the corresponding string for the language set as the current lanuage and returns it.
Number 2 is achieved by having subdirectories in lesson_plans corresponding to every language. That means, a lesson that has been translated to Spanish and German will be found in lesson_plans/English and lesson_plans/Spanish and lesson_plans/German.
This is how WebGoat finds out about available languages: in Course.java in loadResources() it looks for lesson plans.
Unlike before, now a lesson plan can be found multiple times in different "language" directories. So for every directory the lesson plan is found in, WebGoat associates this language with the lesson and also lets WebGoatI18N load the appropriate WebGoatLabels_$LANGAUGE$.properties file which contains the translations of labels.
So this is what you have to do for a new language:
First of all, you have to copy and translate every lesson plan that you need in the new language, and then you also have to create a WebGoatLabels_$LANGUAGE$.properties file with that labels that will be used in these lessons. Atm WebGoat crashes throws an exception when a label is missing but this can be sorted out quickly. 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@389 4033779f-a91e-0410-96ef-6bf7bf53c507
			
			
This commit is contained in:
		
							
								
								
									
										228
									
								
								main/project/JavaSource/WebGoatLabels_english.properties
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										228
									
								
								main/project/JavaSource/WebGoatLabels_english.properties
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,228 @@ | ||||
| #General | ||||
| LessonCompleted=Congratulations. You have successfully completed this lesson. | ||||
| RestartLesson=Restart this Lesson | ||||
| SolutionVideos=Solution Videos | ||||
| ErrorGenerating=Error generating | ||||
| InvalidData=Invalid Data  | ||||
|  | ||||
|  | ||||
| #HttpBasics.java | ||||
| EnterYourName=Enter your Name | ||||
| Go!=Go! | ||||
|  | ||||
| #BasicAuthentication.java | ||||
| BasicAuthHeaderNameIncorrect=Basic Authentication header name is incorrect. | ||||
| BasicAuthHeaderValueIncorrect=Basic Authentication header value is incorrect. | ||||
| BasicAuthenticationWhatIsNameOfHeader=What is the name of the authentication header: | ||||
| BasicAuthenticationWhatIsDecodedValueOfHeader=What is the decoded value of the authentication header: | ||||
| Submit=Submit | ||||
| BasicAuthenticationGreenStars1=Close your browser and login as  | ||||
| BasicAuthenticationGreenStars2= to get your green stars back. | ||||
| BasicAuthenticationStage1Completed=Congratulations, you have figured out the mechanics of basic authentication.  - Now you must try to make WebGoat reauthenticate you as:      - username:  basic     - password:  basic. Use the Basic Authentication Menu to start at login page. | ||||
| BasicAuthenticationAlmostThere1=You're almost there!  You've modified the  | ||||
| BasicAuthenticationAlmostThere2= header but you are still logged in as  | ||||
| BasicAuthenticationAlmostThere3=.  Look at the request after you typed in the 'basic' user credentials and submitted the request.  Remember the order of events that occur during Basic Authentication. | ||||
| BasicAuthenticationReallyClose=You're really close!  Changing the session cookie caused the server to create a new session for you.  This did not cause the server to reauthenticate you. When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>    user name: basic<br>     password: basic<br> | ||||
| BasicAuthenticationUseTheHints=Use the hints!  One at a time... | ||||
|  | ||||
| BasicAuthenticationHint1=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request.  Look at the cookies. | ||||
| 		 | ||||
| BasicAuthenticationHint2=Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials. | ||||
| BasicAuthenticationHint3=Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials. | ||||
| BasicAuthenticationHint4=Use WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie. | ||||
|  | ||||
| BasicAuthenticationHint5=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request.  Look at the cookies. | ||||
| BasicAuthenticationHint6=Before the WebServer requests credentials from the client, the current session is checked for validitity. | ||||
| BasicAuthenticationHint7=If the session is invalid the webserver will use the basic authentication credentials | ||||
| BasicAuthenticationHint8=If the session is invalid and the basic authentication credentials are invalid, new credentials will be requested from the client. | ||||
| BasicAuthenticationHint9=Intercept the request and corrupt the JSESSIONID and the Authorization header. | ||||
|  | ||||
|  | ||||
| #WeakAuthenticationCookie.java | ||||
| InvalidCookie=Invalid cookie | ||||
| IdentityRemembered=Your identity has been remembered | ||||
| InvalidUsernameAndPassword=Invalid username and password entered. | ||||
| UserName=User Name  | ||||
| Password=Password  | ||||
| Login=Login | ||||
| RequiredFields=Required Fields | ||||
| WeakAuthenticationCookiePleaseSignIn=Please sign in to your account.  See the OWASP admin if you do not have an account. | ||||
| SignIn=Sign in | ||||
| PasswordForgotten=Goodbye!  Your password has been forgotten | ||||
| WelcomeUser=Welcome,  | ||||
| YouHaveBeenAuthenticatedWith=You have been authenticated with  | ||||
| Logout=Logout | ||||
| Refresh=Refresh | ||||
|  | ||||
| WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie. | ||||
| WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password? | ||||
| WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>. | ||||
| WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names? | ||||
|  | ||||
| #RemoteAdminFlaw.java | ||||
| RemoteAdminFlawHint1=WebGoat has 2 admin interfaces. | ||||
| RemoteAdminFlawHint2=WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable' | ||||
| RemoteAdminFlawHint3=WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable' | ||||
| RemoteAdminFlawHint4=Follow the Source! | ||||
| RemoteAdminFlawHint5=On success you will see new submenu items in the menupoint 'Admin Functions' | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| #PathBasedAccessControl.java | ||||
| CurrentDirectory=Current Directory is: | ||||
| ChooseFileToView=Choose the file to view: | ||||
| ViewFile=View File | ||||
| AccessDenied=Access denied | ||||
| ItAppears1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see one file in this directory. | ||||
| ItAppears2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see files in the webgoat directory. | ||||
| CongratsAccessToFileAllowed=Congratulations! Access to file allowed | ||||
| FileInAllowedDirectory=File is already in allowed directory - try again! | ||||
| AccessToFileDenied1=Access to file/directory " | ||||
| AccessToFileDenied2=" denied | ||||
| FileTooLarge=File is too large | ||||
| FileBinary=File is binary | ||||
| TheFollowingError=The following error occurred while accessing the file: < | ||||
| PathBasedAccessControlInstr1=The ' | ||||
| PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory.  Try to break the access control mechanism and access a resource that is not in the listed directory.  After selecting a file to view, WebGoat will report if access to the file was granted.  An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml | ||||
| ErrorGenerating=Error generating  | ||||
| ViewingFile=Viewing file: | ||||
| File=File:  | ||||
| Dir=Dir:  | ||||
| IsFile=  - isFile():  | ||||
| Exists=  - exists(): | ||||
| PathBasedAccessControlHint1=Most operating systems allow special characters in the path. | ||||
| PathBasedAccessControlHint2=Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory"); | ||||
| PathBasedAccessControlHint3=Try .. in the path | ||||
| PathBasedAccessControlHint4=Try ..\\..\\..\\LICENSE | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| #CommandInjection.java  | ||||
| Command=Command | ||||
| CommandInjectionRightTrack1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig. | ||||
| CommandInjectionRightTrack2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. This lesson is a command injection lesson, not access control. | ||||
| YouAreCurrentlyViewing=You are currently viewing:  | ||||
| SelectFileFromListBelow=select file from list below | ||||
| SelectLessonPlanToView=Select the lesson plan to view: | ||||
| View=View | ||||
| CommandInjectionHint1=The application is using a system command to return the contents of a file. | ||||
| CommandInjectionHint2=The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;) | ||||
| CommandInjectionHint3=Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix. | ||||
| CommandInjectionHint4=Note that the server may enclose the submitted file name within quotes | ||||
|  | ||||
|  | ||||
|  | ||||
| #NumericSqlInjection.java | ||||
| NumericSqlInjectionSecondStage=Bet you can't do it again! This lesson has detected your successfull attack and has now switched to a defensive mode. Try again to attack a parameterized query. | ||||
| NoResultsMatched=No results matched.  Try Again. | ||||
| NumericSqlInjectionSecondStage2=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. | ||||
| ErrorParsingAsNumber=Error parsing station as a number:  | ||||
| SelectYourStation=Select your local weather station:  | ||||
|  | ||||
| SqlNumericInjectionHint1=The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command. | ||||
| SqlNumericInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br>"SELECT * FROM weather_data WHERE station = " + station   | ||||
| SqlNumericInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true.  | ||||
| SqlNumericInjectionHint4=Try to intercept the post request with WebScarab and replace the station with [ 101 OR 1 = 1 ]. | ||||
|  | ||||
|  | ||||
|   | ||||
|   | ||||
| #StringSqlInjection.java | ||||
| StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query.  Restart the lesson if you wish to return to the injectable query. | ||||
| EnterLastName=Enter your last name:  | ||||
| NoResultsMatched=No results matched.  Try Again. | ||||
| SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command. | ||||
| SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"  | ||||
| SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true | ||||
| SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ]. | ||||
|  | ||||
|  | ||||
| 		 | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| #LogSpoofing.java | ||||
| LoginFailedForUserName=Login failed for username | ||||
| LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME | ||||
| LogSpoofingHint1=Try to fool the human eye by using new lines. | ||||
| LogSpoofingHint2=Use CR (%0d) and LF (%0a) for a new line. | ||||
| LogSpoofingHint3=Try: Smith%0d%0aLogin Succeeded for username: admin | ||||
| LogSpoofingHint4=Try: Smith%0d%0aLogin Succeeded for username: admin<script>alert(document.cookie)</script>  | ||||
|  | ||||
| #StoredXss.java | ||||
| StoredXssHint1=You can put HTML tags in your message. | ||||
| StoredXssHint1=Bury a SCRIPT tag in the message to attack anyone who reads it. | ||||
| StoredXssHint1=Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in the message field. | ||||
| StoredXssHint1=Enter this: <script>alert(document.cookie);</script> in the message field. | ||||
| MessageContentsFor=Message Contents For | ||||
| Title=Title | ||||
| PostedBy=Posted by | ||||
| CouldNotFindMessage=Could not find this message | ||||
| Message=Message | ||||
| MessageList=Message List | ||||
| CouldNotAddMessage=Could not add message to database | ||||
| ErroGeneratingMessageList=Error while getting message list. | ||||
|  | ||||
| #ReflectedXSS.java | ||||
| ReflectedXSSWhoops1=Whoops! You entered  | ||||
| ReflectedXSSWhoops2= instead of your three digit code.  Please try again. | ||||
| ShoppingCart=Shopping Cart  | ||||
| ShoppingCartItems=Shopping Cart Items -- To Buy Now | ||||
| Price=Price | ||||
| Quantity=Quantity | ||||
| Total=Total | ||||
| TotalChargedCreditCard=The total charged to your credit card | ||||
| UpdateCart=UpdateCart | ||||
| EnterCreditCard=Enter your credit card number | ||||
| Enter3DigitCode=Enter your three digit access code | ||||
| Purchase=Purchase | ||||
| ReflectedXSSHint1=A simple script is <SCRIPT>alert('bang!');</SCRIPT>. | ||||
| ReflectedXSSHint2=Can you get the script to disclose the JSESSIONID cookie? | ||||
| ReflectedXSSHint3=You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie | ||||
| ReflectedXSSHint4=Can you get the script to access the credit card form field? | ||||
| ReflectedXSSHint5=Try a cross site trace (XST) Command:<br><script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); document.write(str1);}</script>"); | ||||
|  | ||||
| #HtmlClues.java | ||||
| HtmlCluesBINGO=BINGO -- admin authenticated | ||||
| HtmlCluesHint1=You can view the HTML source by selecting 'view source' in the browser menu. | ||||
| HtmlCluesHint2=There are lots of clues in the HTML | ||||
| HtmlCluesHint3=Search for the word HIDDEN, look at URLs, look for comments. | ||||
|  | ||||
| #JavaScriptValidation.java | ||||
| 3LowerCase=Field1: exactly three lowercase characters | ||||
| Exactly3Digits=Field2: exactly three digits | ||||
| LettersNumbersSpaceOnly=Field3: letters, numbers, and space only | ||||
| EnumerationOfNumbers=Field4: enumeration of numbers | ||||
| SimpleZipCode=Field5: simple zip code | ||||
| ZIPDashFour=Field6: zip with optional dash four | ||||
| USPhoneNumber=Field7: US phone number with or without dashes | ||||
|  | ||||
| ServerSideValidationViolation=Server side validation violation:  You succeeded for | ||||
| JavaScriptValidationHint1=The validation is happening in your browser. | ||||
| JavaScriptValidationHint2=Try modifying the values with a proxy after they leave your browser | ||||
| JavaScriptValidationHint3=Another way is to delete the JavaScript before you view the page. | ||||
|  | ||||
| #HiddenFieldTampering.java | ||||
| TotalPriceIs=Your total price is  | ||||
| ThisAmountCharged=This amount will be charged to your credit card immediately. | ||||
|  | ||||
| HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server. | ||||
| HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field. | ||||
| HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from " | ||||
| HiddenFieldTamperingHint32= to  | ||||
|  | ||||
|  | ||||
|    | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
							
								
								
									
										208
									
								
								main/project/JavaSource/WebGoatLabels_german.properties
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										208
									
								
								main/project/JavaSource/WebGoatLabels_german.properties
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,208 @@ | ||||
| #General | ||||
| LessonCompleted=Herzlichen Gl<47>ckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen. | ||||
| RestartLesson=Lektion neu beginnen | ||||
| SolutionVideos=L<EFBFBD>sungsvideos | ||||
| ErrorGenerating=Fehler beim Generieren von | ||||
| InvalidData=Ung<EFBFBD>ltige Daten | ||||
|  | ||||
| #HttpBasics.java | ||||
| EnterYourName=Geben Sie Ihren Namen ein | ||||
| Go!=Los gehts! | ||||
|  | ||||
| #BasicAuthentication.java | ||||
| BasicAuthHeaderNameIncorrect=Basic Authentication Header Name ist inkorrekt. | ||||
| BasicAuthHeaderValueIncorrect=Basic Authentication Header Wert ist inkorrekt. | ||||
| BasicAuthenticationWhatIsNameOfHeader=Was ist der Name des Authentication Header: | ||||
| BasicAuthenticationWhatIsDecodedValueOfHeader=Was ist der dekodierte Wert des Authentication Header: | ||||
| Submit=Abschicken | ||||
| BasicAuthenticationGreenStars1=Schlie<EFBFBD>en Sie Ihren Browser und loggen sich Sich als  | ||||
| BasicAuthenticationGreenStars2= ein um Ihre gr<67>nen Sterne wiederzubekommen. | ||||
| BasicAuthenticationStage1Completed=Herzlichen Gl<47>ckwunsch, Sie haben die Grundlagen von Basic Authentication verstanden - Jetzt versuchen Sie sich von WebGoat als: username:  basic     - password:  basic authentisieren zu lassen. Benutzen Sie das Basic Authentication Menu um eine Login Seite zu <20>ffnen. | ||||
| BasicAuthenticationAlmostThere1=Sie Sind fast da! Sie haben den  | ||||
| BasicAuthenticationAlmostThere2= Header manipuliert aber Sie sind immernoch als   | ||||
| BasicAuthenticationAlmostThere3= eingeloggt. Schauen Sie sich den Request an nachdem Sie die 'basic' Authentisierungsdaten eingetippt haben und die Anfrage abgeschickt haben. Halten Sie sich die Reihenfolge der Ereignisse die bei Basic Authentication eintreten vor Augen.  | ||||
| BasicAuthenticationReallyClose=Sie sind sehr nahe dran!  Durch das <20>ndern des Session Cookie haben Sie den Server dazu gebracht eine neue Session f<>r Sie zu erstellen. Dies hat sie allerdings nicht re-authentisiert. Wenn Sie herausgefunden haben wie Sie den Server dazu zwingen k<>nnen Sie zu re-authentisieren dann authentisieren Sie sich als:<br><br>    user name: basic<br>     password: basic<br> | ||||
| BasicAuthenticationUseTheHints=Benutzen Sie die Hinweise! Einen nach dem anderen... | ||||
| BasicAuthenticationHint1=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request.  Look at the cookies. | ||||
| 		 | ||||
| BasicAuthenticationHint2=Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials. | ||||
| BasicAuthenticationHint3=Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials. | ||||
| BasicAuthenticationHint4=Use WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie. | ||||
|  | ||||
| BasicAuthenticationHint5=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request.  Look at the cookies. | ||||
| BasicAuthenticationHint6=Before the WebServer requests credentials from the client, the current session is checked for validitity. | ||||
| BasicAuthenticationHint7=If the session is invalid the webserver will use the basic authentication credentials | ||||
| BasicAuthenticationHint8=If the session is invalid and the basic authentication credentials are invalid, new credentials will be requested from the client. | ||||
| BasicAuthenticationHint9=Intercept the request and corrupt the JSESSIONID and the Authorization header. | ||||
|  | ||||
|  | ||||
|  | ||||
| #WeakAuthenticationCookie.java | ||||
| InvalidCookie=Ung<EFBFBD>ltiger Cookie! | ||||
| IdentityRemembered=Ihre Identit<69>t wurde abgespeichert | ||||
| InvalidUsernameAndPassword=Benutzername und Passwort ung<6E>ltig. | ||||
| UserName=Benutzername  | ||||
| Password=Passwort | ||||
| Login=Anmelden | ||||
| RequiredFields=*Ben<65>tigte Felder | ||||
| WeakAuthenticationCookiePleaseSignIn=Bitte melden Sie sich an. Kontaktieren Sie den OWASP Administrator wenn Sie keine Anmeldedaten haben. | ||||
| SignIn=Anmeldung | ||||
| PasswordForgotten=Auf Wiedersehen!  Ihr Passwort wurde vergessen | ||||
| WelcomeUser=Willkommen,  | ||||
| YouHaveBeenAuthenticatedWith=Sie wurden authentisiert mit  | ||||
| Logout=Abmelden | ||||
| Refresh=Neu Laden | ||||
|  | ||||
| WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie. | ||||
| WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password? | ||||
| WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>. | ||||
| WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names? | ||||
|  | ||||
| #RemoteAdminFlaw.java | ||||
| RemoteAdminFlawHint1=WebGoat has 2 admin interfaces. | ||||
| RemoteAdminFlawHint2=WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable' | ||||
| RemoteAdminFlawHint3=WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable' | ||||
| RemoteAdminFlawHint4=Follow the Source! | ||||
| RemoteAdminFlawHint5=On success you will see new submenu items in the menupoint 'Admin Functions' | ||||
|  | ||||
|  | ||||
|   | ||||
| #PathBasedAccessControl.java | ||||
| CurrentDirectory=Das aktuelle Verzeichnis ist: | ||||
| ChooseFileToView=W<EFBFBD>hlen Sie die Datei zum Anzeigen: | ||||
| ViewFile=Datei anzeigen | ||||
| AccessDenied=Zugang verweigert | ||||
| ItAppears1=Es scheint als w<>ren Sie auf dem richtigen Weg. Befehle die das Betriebssystem beeinflussen k<>nnten werden ignoriert. Sie d<>rfen nur eine Datei in diesem Verzeichnis anzeigen. | ||||
| ItAppears2=Es scheint als w<>ren Sie auf dem richtigen Weg. Befehle die das Betriebssystem beeinflussen k<>nnten werden ignoriert. Sie d<>rfen nur Dateien im WebGoat Verzeichnis anzeigen. | ||||
| CongratsAccessToFileAllowed=Herzlichen Gl<47>ckwunsch! Zugang zur Datei gew<65>hrt | ||||
| FileInAllowedDirectory=Die Datei ist bereits in einem erlaubten Verzeichnis - Versuchen Sie es erneut! | ||||
| AccessToFileDenied1=Zugang zu Datei/Verzeichnis " | ||||
| AccessToFileDenied2=" verweigert | ||||
| FileTooLarge=Datei ist zu gro<72> | ||||
| FileBinary=Datei hat bin<69>r-Inhalt | ||||
| TheFollowingError=Der folgende Fehler trat auf beim Zugriff auf die Datei: < | ||||
| PathBasedAccessControlInstr1=Der ' | ||||
| PathBasedAccessControlInstr2=' Benutzer hat Zugriff auf alle Dateien im lesson_plans/English Verzeichnis. Versuchen Sie den Zugangsmechanismus zu brechen indem Sie auf eine Resource zugreifen die nicht im gelisteten Verzeichnis liegt. Nachdem Sie eine Datei ausgew<65>hlt haben, wird WebGoat Ihnen sagen ob Sie Zugriff darauf haben. Eine interessante Datei k<>nnte tomcat/conf/tomcat-users.xml sein. | ||||
| ErrorGenerating=Fehler beim Generieren von  | ||||
| ViewingFile=Anzeige von Datei: | ||||
| File=Datei:  | ||||
| Dir=Verzeichnis:  | ||||
| IsFile=  - isFile() (ist eine Datei):  | ||||
| Exists=  - exists() (existiert):  | ||||
|  | ||||
| PathBasedAccessControlHint1=Most operating systems allow special characters in the path. | ||||
| PathBasedAccessControlHint2=Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory"); | ||||
| PathBasedAccessControlHint3=Try .. in the path | ||||
| PathBasedAccessControlHint4=Try ..\\..\\..\\LICENSE | ||||
|  | ||||
|  | ||||
| #CommandInjection.java  | ||||
| Command=Befehl | ||||
| CommandInjectionRightTrack1=Es scheint, dass Sie auf dem richtigen Weg sind. Befehle die das Betriebssystem kompromittieren k<>nnen wurden deaktiviert. Die folgenden Befehle sind erlaubt: netstat -a, dir, ls, ifconfig und ipconfig.  | ||||
| CommandInjectionRightTrack2=Es scheint, dass Sie auf dem richtigen Weg sind. Befehle die das Betriebssystem kompromittieren k<>nnen wurden deaktiviert. In dieser Lektion geht es um das Einschleusen von Befehlen, nicht um Zugangskontrolle. | ||||
| YouAreCurrentlyViewing=Sie betrachten gerade: | ||||
| SelectFileFromListBelow=w<EFBFBD>hlen Sie eine Datei aus der Liste  | ||||
| SelectLessonPlanToView=W<EFBFBD>hlen Sie die zu betrachtende Lektion aus:  | ||||
| View=Anzeigen  | ||||
| CommandInjectionHint1=The application is using a system command to return the contents of a file. | ||||
| CommandInjectionHint2=The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;) | ||||
| CommandInjectionHint3=Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix. | ||||
| CommandInjectionHint4=Note that the server may enclose the submitted file name within quotes | ||||
|  | ||||
|  | ||||
|  | ||||
| #NumericSqlInjection.java | ||||
| SecondStage=Ich wette das k<>nnen Sie nicht wiederholen. Diese Lektion hat nun in einen defensiven Modus gewechselt. Versuchen Sie nun eine parametrisierte Anfrage anzugreifen.  | ||||
| NoResultsMatched=Keine Resultate gefunden. Versuchen Sie es erneut. | ||||
| SecondStage2=Da sie nun erfolgreich eine SQL Injection durchgef<65>hrt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. | ||||
| ErrorParsingAsNumber=Fehler beim interpretieren der Wetterstationsnummer als Zahl:  | ||||
| SelectYourStation=W<EFBFBD>hlen Sie Ihre lokale Wetterstation aus: | ||||
| SqlNumericInjectionHint1=The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command. | ||||
| SqlNumericInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br>"SELECT * FROM weather_data WHERE station = " + station   | ||||
| SqlNumericInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true.  | ||||
| SqlNumericInjectionHint4=Try to intercept the post request with WebScarab and replace the station with [ 101 OR 1 = 1 ]. | ||||
|  | ||||
|  | ||||
| #StringSqlInjection.java | ||||
| StringSqlInjectionSecondStage=Da sie nun erfolgreich eine SQL Injection durchgef<65>hrt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. Starten Sie Diese Lektion neu, wenn Sie zur verwundbaren SQL Anfrage gelangen m<>chten. | ||||
| EnterLastName=Geben Sie Ihren Nachnamen ein:  | ||||
| NoResultsMatched=Keine Resultate gefunden, versuchen Sie es erneut | ||||
| SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command. | ||||
| SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"  | ||||
| SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true | ||||
| SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ]. | ||||
|  | ||||
|  | ||||
| #LogSpoofing.java | ||||
| LoginFailedForUserName=Login failed for username | ||||
| LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME | ||||
| LogSpoofingHint1=Versuchen Sie das menschliche Auge durch Einf<6E>gen von weiteren Zeilen zu verwirren | ||||
| LogSpoofingHint2=Benutzen Sie CR (%0d) und LF (%0a) f<>r eine neue Zeile. | ||||
| LogSpoofingHint3=Versuchen Sie: Smith%0d%0aLogin Succeeded for username: admin | ||||
| LogSpoofingHint4=Versuchen Sie: Smith%0d%0aLogin Succeeded for username: admin<script>alert(document.cookie)</script>  | ||||
|  | ||||
| #StoredXss.java | ||||
| StoredXssHint1=Sie k<>nnen HTML tags in Ihre Nachricht einbauen. | ||||
| StoredXssHint1=Bauen Sie ein SCRIPT tag in Ihre Nachricht ein um jeden Anzugreifen der sie liest | ||||
| StoredXssHint1=Geben Sie:  <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in das Nachrichtenfeld ein. | ||||
| StoredXssHint1=Geben Sie: <script>alert(document.cookie);</script> in das Nachrichtenfeld ein. | ||||
| MessageContentsFor=Nachrichteninhalt f<>r | ||||
| Title=Titel | ||||
| PostedBy=Geschrieben von | ||||
| CouldNotFindMessage=Konnte diese Nachricht nicht finden | ||||
| Message=Nachricht | ||||
| MessageList=Nachrichtenliste | ||||
| CouldNotAddMessage=Could not add message to database | ||||
| ErroGeneratingMessageList=Error while getting message list. | ||||
|  | ||||
|  | ||||
| #ReflectedXSS.java | ||||
| ReflectedXSSWhoops1=Ups! Sie haben   | ||||
| ReflectedXSSWhoops2= anstatt des drei stelligen Codes eingegeben. Bitte versuchen Sie es erneut. | ||||
| ShoppingCart=Warenkorb  | ||||
| ShoppingCartItems=Inhalt des Warenkorbs -- Jetzt kaufen | ||||
| Price=Preis | ||||
| Quantity=Menge | ||||
| Total=Gesamt | ||||
| TotalChargedCreditCard=Der Gesamtbetrag, mit dem Ihre Kreditkarte belastet wird  | ||||
| UpdateCart=Warenkorb aktualisieren | ||||
| EnterCreditCard=Geben Sie Ihre Kreditkartennummern ein | ||||
| Enter3DigitCode=Geben Sie Ihren 3-stelligen Sicherheitscode ein | ||||
| Purchase=Kaufen | ||||
| ReflectedXSSHint1=Ein einfaches Skript ist <SCRIPT>alert('bang!');</SCRIPT>. | ||||
| ReflectedXSSHint2=K<EFBFBD>nnen Sie das Skript dazu bringen den JSESSIONID Cookie zu ver<65>ffentlichen? | ||||
| ReflectedXSSHint3=Sie k<>nnen <SCRIPT>alert(document.cookie);</SCRIPT> benutzen um an den Session ID Cookie zu kommen | ||||
| ReflectedXSSHint4=K<EFBFBD>nnen Sie das Skript so gestalten, dass es an den Inhalt des Kreditkartenfeldes kommt? | ||||
| ReflectedXSSHint5=Versuchen Sie einen cross site trace (XST) Befehl:<br><script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); document.write(str1);}</script>"); | ||||
|  | ||||
| #HtmlClues.java | ||||
| HtmlCluesBINGO=BINGO -- admin authentisiert | ||||
| HtmlCluesHint1=Sie k<>nnen Sich den HTML Quellcode anschauen indem Sie "View Source" im Browser anklicken. | ||||
| HtmlCluesHint2=Es gibt viele Hinweise in HTML | ||||
| HtmlCluesHint3=Suchen Sie nach den Worten HIDDEN, schauen Sie sich URLs an und suchen Sie nach Kommentaren. | ||||
|   | ||||
| #JavaScriptValidation.java | ||||
| 3LowerCase=Feld1: genau drei kleine Buchstaben | ||||
| Exactly3Digits=Feld2: genau drei Ziffern | ||||
| LettersNumbersSpaceOnly=Feld3: Buchstaben, Ziffern und Leerzeichen | ||||
| EnumerationOfNumbers=Feld4: ausgeschriebene Ziffern | ||||
| SimpleZipCode=Feld5: Einfach Postleitzahlen (5 stellige Zahl) | ||||
| ZIPDashFour=Feld6: Postleitzahlen mit optionalem Bindestrich und 4 stelliger Zahl | ||||
| USPhoneNumber=Feld7: Telefonnummer in den USA, mit oder ohne Bindestriche | ||||
|  | ||||
| ServerSideValidationViolation=Server-seitige Validierungsversto<74>:  Sie waren erfolgreich f<>r | ||||
| JavaScriptValidationHint1=Die Validierung findet in Ihrem Browser statt. | ||||
| JavaScriptValidationHint2=Versuchen Sie den Wert zu ver<65>ndern nachdem er Ihren Browser verlassen hat. | ||||
| JavaScriptValidationHint3=Sie k<>nnen aber auch JavaScript abschalten, bevor Sie sich die Seite anschauen. | ||||
|  | ||||
| #HiddenFieldTampering.java | ||||
| TotalPriceIs=Der Gesamtpreis ist  | ||||
| ThisAmountCharged=Ihre Kreditkarte wird sofort mit dem Betrag belastet | ||||
|  | ||||
| HiddenFieldTamperingHint1=Die Applikation nutzt ein verstecktes Feld um Preisinformationen an den Server zu <20>bertragen. | ||||
| HiddenFieldTamperingHint2=Benutzen Sie ein Programm um den Wert des versteckten Feldes abzufangen und zu ver<65>ndern. | ||||
| HiddenFieldTamperingHint3=Benutzen Sie <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> um den Preis des Fernsehers auf einen anderen Wert einzustellen.   | ||||
| HiddenFieldTamperingHint32= bis  | ||||
|   | ||||
|   | ||||
|   | ||||
| @ -10,7 +10,11 @@ import java.net.URL; | ||||
| import java.sql.ResultSet; | ||||
| import java.sql.SQLException; | ||||
| import java.sql.Statement; | ||||
| import java.util.HashMap; | ||||
| import java.util.LinkedList; | ||||
| import java.util.List; | ||||
| import java.util.Map; | ||||
|  | ||||
| import org.apache.ecs.Element; | ||||
| import org.apache.ecs.ElementContainer; | ||||
| import org.apache.ecs.StringElement; | ||||
| @ -26,6 +30,8 @@ import org.owasp.webgoat.session.Screen; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.session.WebgoatContext; | ||||
| import org.owasp.webgoat.session.WebgoatProperties; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -95,12 +101,16 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object | ||||
|  | ||||
| 	private String sourceFileName; | ||||
|  | ||||
| 	private String lessonPlanFileName; | ||||
| 	private Map<String,String> lessonPlanFileName = new HashMap<String,String>(); | ||||
|  | ||||
| 	private String lessonSolutionFileName; | ||||
|  | ||||
| 	private WebgoatContext webgoatContext; | ||||
|  | ||||
| 	 | ||||
| 	private LinkedList<String> availableLanguages = new LinkedList<String>(); | ||||
| 	 | ||||
| 	private String defaultLanguage = "English"; | ||||
| 	 | ||||
| 	/** | ||||
| 	 * Constructor for the Lesson object | ||||
| 	 */ | ||||
| @ -392,22 +402,29 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object | ||||
| 	 */ | ||||
| 	public String getLessonPlan(WebSession s) | ||||
| 	{ | ||||
| 		String src = null; | ||||
|  | ||||
| 		StringBuffer src = new StringBuffer(); | ||||
| 		String lang = s.getCurrrentLanguage(); | ||||
| 		 | ||||
| 		try | ||||
| 		{ | ||||
| 			// System.out.println("Loading lesson plan file: " + | ||||
| 			// getLessonPlanFileName()); | ||||
| 			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonPlanFileName()))), false); | ||||
| 			String filename = getLessonPlanFileName(lang); | ||||
| 			if(filename==null){ | ||||
| 				filename = getLessonPlanFileName(getDefaultLanguage()); | ||||
| 				 | ||||
| 			} | ||||
| 			 | ||||
| 			src.append(readFromFile(new BufferedReader(new FileReader(s.getWebResource(filename))), false)); | ||||
|  | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			// s.setMessage( "Could not find lesson plan for " + | ||||
| 			// getLessonName()); | ||||
| 			src = ("Could not find lesson plan for: " + getLessonName()); | ||||
| 			src = new StringBuffer("Could not find lesson plan for: " + getLessonName()+" and language "+lang); | ||||
|  | ||||
| 		} | ||||
| 		return src; | ||||
| 		return src.toString(); | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| @ -774,16 +791,27 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object | ||||
| 		return getTitle(); | ||||
| 	} | ||||
|  | ||||
| 	public String getLessonPlanFileName() | ||||
| 	public String getDefaultLanguage(){ | ||||
| 		return this.defaultLanguage; | ||||
| 	} | ||||
| 	 | ||||
| 	public String getLessonPlanFileName(String lang) | ||||
| 	{ | ||||
| 		return lessonPlanFileName; | ||||
| 		String ret = lessonPlanFileName.get(lang); | ||||
| 		if(ret==null) ret = lessonPlanFileName.get(getDefaultLanguage()); | ||||
| 		return ret; | ||||
| 	} | ||||
|  | ||||
| 	public void setLessonPlanFileName(String lessonPlanFileName) | ||||
| 	public void setLessonPlanFileName(String lang, String lessonPlanFileName) | ||||
| 	{ | ||||
| 		this.lessonPlanFileName = lessonPlanFileName; | ||||
| 		this.lessonPlanFileName.put(lang,lessonPlanFileName); | ||||
| 		this.availableLanguages.add(lang); | ||||
| 	} | ||||
|  | ||||
| 	public List<String> getAvailableLanguages(){ | ||||
| 		return this.availableLanguages; | ||||
| 	} | ||||
| 	 | ||||
| 	public String getLessonSolutionFileName() | ||||
| 	{ | ||||
| 		return lessonSolutionFileName; | ||||
|  | ||||
| @ -13,6 +13,7 @@ import org.apache.ecs.html.TR; | ||||
| import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -101,12 +102,12 @@ public class BasicAuthentication extends SequentialLessonAdapter | ||||
| 			{ | ||||
| 				if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION)) | ||||
| 				{ | ||||
| 					s.setMessage("Basic Authentication header name is incorrect."); | ||||
| 					s.setMessage(WebGoatI18N.get("BasicAuthHeaderNameIncorrect")); | ||||
| 				} | ||||
| 				if (headerValue.length() > 0 | ||||
| 						&& !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat"))) | ||||
| 				{ | ||||
| 					s.setMessage("Basic Authentication header value is incorrect."); | ||||
| 					s.setMessage(WebGoatI18N.get("BasicAuthHeaderValueIncorrect")); | ||||
|  | ||||
| 				} | ||||
| 			} | ||||
| @ -120,8 +121,8 @@ public class BasicAuthentication extends SequentialLessonAdapter | ||||
|  | ||||
| 			TR row1 = new TR(); | ||||
| 			TR row2 = new TR(); | ||||
| 			row1.addElement(new TD(new StringElement("What is the name of the authentication header: "))); | ||||
| 			row2.addElement(new TD(new StringElement("What is the decoded value of the authentication header: "))); | ||||
| 			row1.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsNameOfHeader")))); | ||||
| 			row2.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsDecodedValueOfHeader")))); | ||||
|  | ||||
| 			row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString()))); | ||||
| 			row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString()))); | ||||
| @ -132,7 +133,7 @@ public class BasicAuthentication extends SequentialLessonAdapter | ||||
| 			ec.addElement(t); | ||||
| 			ec.addElement(new P()); | ||||
|  | ||||
| 			Element b = ECSFactory.makeButton("Submit"); | ||||
| 			Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit")); | ||||
| 			ec.addElement(b); | ||||
|  | ||||
| 		} catch (Exception e) | ||||
| @ -158,7 +159,7 @@ public class BasicAuthentication extends SequentialLessonAdapter | ||||
| 				getLessonTracker(s, originalUser).setStage(1); | ||||
| 				getLessonTracker(s, originalUser).store(s, this); | ||||
| 				makeSuccess(s); | ||||
| 				s.setMessage("Close your browser and login as " + originalUser + " to get your green stars back."); | ||||
| 				s.setMessage(WebGoatI18N.get("BasicAuthenticiationGreenStars1")+ originalUser + WebGoatI18N.get("BasicAuthenticationGreenStars2")); | ||||
| 				return ec; | ||||
| 			} | ||||
| 			else | ||||
| @ -184,11 +185,7 @@ public class BasicAuthentication extends SequentialLessonAdapter | ||||
| 					getLessonTracker(s, BASIC).store(s, this, BASIC); | ||||
| 				} | ||||
|  | ||||
| 				s.setMessage("Congratulations, you have figured out the mechanics of basic authentication."); | ||||
| 				s.setMessage("  - Now you must try to make WebGoat reauthenticate you as:  "); | ||||
| 				s.setMessage("    - username:  basic"); | ||||
| 				s.setMessage("    - password:  basic"); | ||||
| 				s.setMessage("Use the Basic Authentication Menu to start at login page."); | ||||
| 				s.setMessage(WebGoatI18N.get("BasicAuthenticationStage1Completed")); | ||||
|  | ||||
| 				// If the auth header is different but still the original user - tell the user | ||||
| 				// that the original cookie was posted bak and basic auth uses the cookie before the | ||||
| @ -196,32 +193,28 @@ public class BasicAuthentication extends SequentialLessonAdapter | ||||
| 				if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION))) | ||||
| 				{ | ||||
| 					ec | ||||
| 							.addElement("You're almost there!  You've modified the " | ||||
| 							.addElement(WebGoatI18N.get("BasicAuthenticationAlmostThere1") | ||||
| 									+ AUTHORIZATION | ||||
| 									+ " header but you are " | ||||
| 									+ "still logged in as " | ||||
| 									+ WebGoatI18N.get("BasicAuthenticationAlmostThere2") | ||||
| 									+ s.getUserName() | ||||
| 									+ ".  Look at the request after you typed in the 'basic' " | ||||
| 									+ "user credentials and submitted the request.  Remember the order of events that occur during Basic Authentication."); | ||||
| 									+ WebGoatI18N.get("BasicAuthenticationAlmostThere3")); | ||||
| 				} | ||||
| 				else if (!originalSessionId.equals(s.getCookie(JSESSIONID))) | ||||
| 				{ | ||||
| 					ec | ||||
| 							.addElement("You're really close!  Changing the session cookie caused the server to create a new session for you.  This did not cause the server to reauthenticate you.  " | ||||
| 									+ "When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>" | ||||
| 									+ "    user name: basic<br> " | ||||
| 									+ "    password: basic<br>"); | ||||
| 							.addElement(WebGoatI18N.get("BasicAuthenticationReallyClose")); | ||||
| 									 | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| 					ec.addElement("Use the hints!  One at a time..."); | ||||
| 					ec.addElement(WebGoatI18N.get("BasicAuthenticationUseTheHints")); | ||||
| 				} | ||||
|  | ||||
| 			} | ||||
|  | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -252,22 +245,19 @@ public class BasicAuthentication extends SequentialLessonAdapter | ||||
| 		// switch ( stage ) | ||||
| 		// { | ||||
| 		// case 1: | ||||
| 		hints.add("Basic authentication uses a cookie to pass the credentials. " | ||||
| 				+ "Use a proxy to intercept the request.  Look at the cookies."); | ||||
| 		hints.add("Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials."); | ||||
| 		hints.add("Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials."); | ||||
| 		hints.add("Use WebScarab -> Tools -> Transcoder to Base64 decode the " | ||||
| 				+ "the value in the Authorization cookie."); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint1")); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint2")); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint3")); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint4")); | ||||
| 		 | ||||
| 		// break; | ||||
| 		// case 2: | ||||
| 		hints.add("Basic authentication uses a cookie to pass the credentials. " | ||||
| 				+ "Use a proxy to intercept the request.  Look at the cookies."); | ||||
| 		hints.add("Before the WebServer requests credentials from the client, the current " | ||||
| 				+ "session is checked for validitity."); | ||||
| 		hints.add("If the session is invalid the webserver will use the basic authentication credentials"); | ||||
| 		hints.add("If the session is invalid and the basic authentication credentials are invalid, " | ||||
| 				+ "new credentials will be requested from the client."); | ||||
| 		hints.add("Intercept the request and corrupt the JSESSIONID and the Authorization header."); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint5")); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint6")); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint7")); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint8")); | ||||
| 		hints.add(WebGoatI18N.get("BasicAuthenticationHint9")); | ||||
| 		 | ||||
| 		// break; | ||||
| 		// } | ||||
|  | ||||
|  | ||||
| @ -16,6 +16,7 @@ import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.Exec; | ||||
| import org.owasp.webgoat.util.ExecResults; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -78,7 +79,7 @@ public class CommandInjection extends LessonAdapter | ||||
| 				} | ||||
| 				index = index + 1; | ||||
| 				int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote | ||||
| 				System.out.println("Command = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]"); | ||||
| 				System.out.println(WebGoatI18N.get("Command")+" = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]"); | ||||
| 				if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase() | ||||
| 						.equals("netstat -a") | ||||
| 						|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir") | ||||
| @ -96,9 +97,8 @@ public class CommandInjection extends LessonAdapter | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| 					s.setMessage("It appears that you are on the right track.  " | ||||
| 							+ "Commands that may compromise the operating system have been disabled.  " | ||||
| 							+ "The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig"); | ||||
| 					s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack1")); | ||||
| 							 | ||||
| 				} | ||||
| 			} | ||||
|  | ||||
| @ -114,9 +114,7 @@ public class CommandInjection extends LessonAdapter | ||||
| 					} | ||||
| 					else | ||||
| 					{ | ||||
| 						s.setMessage("It appears that you are on the right track.  " | ||||
| 								+ "Commands that may compromise the operating system have been disabled.  " | ||||
| 								+ "This lesson is a command injection lesson, not access control."); | ||||
| 						s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack2")); | ||||
| 					} | ||||
| 				} | ||||
| 				else | ||||
| @ -125,10 +123,10 @@ public class CommandInjection extends LessonAdapter | ||||
| 					illegalCommand = false; | ||||
| 				} | ||||
| 			} | ||||
| 			File safeDir = new File(s.getContext().getRealPath("/lesson_plans")); | ||||
| 			File safeDir = new File(s.getContext().getRealPath("/lesson_plans/English")); | ||||
|  | ||||
| 			ec.addElement(new StringElement("You are currently viewing: <b>" | ||||
| 					+ (helpFile.toString().length() == 0 ? "<select file from list below>" : helpFile.toString()) | ||||
| 			ec.addElement(new StringElement(WebGoatI18N.get("YouAreCurrentlyViewing")+"<b>" | ||||
| 					+ (helpFile.toString().length() == 0 ? "<"+WebGoatI18N.get("SelectFileFromListBelow")+">" : helpFile.toString()) | ||||
| 					+ "</b>")); | ||||
|  | ||||
| 			if (!illegalCommand) | ||||
| @ -153,11 +151,11 @@ public class CommandInjection extends LessonAdapter | ||||
| 					fileData = exec(s, cmd2); | ||||
| 				} | ||||
|  | ||||
| 				ec.addElement(new P().addElement("Select the lesson plan to view: ")); | ||||
| 				ec.addElement(new P().addElement(WebGoatI18N.get("SelectLessonPlanToView"))); | ||||
| 				ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html", | ||||
| 																									"\\.help")))); | ||||
| 				// ec.addElement( results ); | ||||
| 				Element b = ECSFactory.makeButton("View"); | ||||
| 				Element b = ECSFactory.makeButton(WebGoatI18N.get("View")); | ||||
| 				ec.addElement(b); | ||||
| 				// Strip out some of the extra html from the "help" file | ||||
| 				ec.addElement(new BR()); | ||||
| @ -272,27 +270,14 @@ public class CommandInjection extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("The application is using a system command to return the contents of a file."); | ||||
| 		hints | ||||
| 				.add("The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)"); | ||||
| 		hints.add("Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix."); | ||||
| 		hints.add("Note that the server may enclose the submitted file name within quotes"); | ||||
| 		hints.add(WebGoatI18N.get("CommandInjectionHint1")); | ||||
| 		hints.add(WebGoatI18N.get("CommandInjectionHint2")); | ||||
| 		hints.add(WebGoatI18N.get("CommandInjectionHint3")); | ||||
| 		hints.add(WebGoatI18N.get("CommandInjectionHint4")); | ||||
|  | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| 	 * Gets the instructions attribute of the ParameterInjection object | ||||
| 	 *  | ||||
| 	 * @return The instructions value | ||||
| 	 */ | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		String instructions = "Choose the lesson plan you would like to view.  " | ||||
| 				+ "Try to inject a command to the operating system."; | ||||
|  | ||||
| 		return (instructions); | ||||
| 	} | ||||
|  | ||||
| 	private final static Integer DEFAULT_RANKING = new Integer(40); | ||||
|  | ||||
|  | ||||
| @ -22,6 +22,7 @@ import org.apache.ecs.html.TR; | ||||
| import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -106,7 +107,7 @@ public class HiddenFieldTampering extends LessonAdapter | ||||
| 			total = quantity * Float.parseFloat(price); | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Invaild data " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("Invaild data") + this.getClass().getName()); | ||||
| 			price = PRICE_TV; | ||||
| 			quantity = 1.0f; | ||||
| 			total = quantity * Float.parseFloat(PRICE_TV); | ||||
| @ -115,7 +116,7 @@ public class HiddenFieldTampering extends LessonAdapter | ||||
|  | ||||
| 		if (price.equals(PRICE_TV)) | ||||
| 		{ | ||||
| 			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart "))); | ||||
| 			ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart")))); | ||||
| 			ec.addElement(new BR()); | ||||
| 			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); | ||||
|  | ||||
| @ -125,10 +126,10 @@ public class HiddenFieldTampering extends LessonAdapter | ||||
| 			} | ||||
|  | ||||
| 			TR tr = new TR(); | ||||
| 			tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%")); | ||||
| 			tr.addElement(new TH().addElement("Price").setWidth("10%")); | ||||
| 			tr.addElement(new TH().addElement("Quantity").setWidth("3%")); | ||||
| 			tr.addElement(new TH().addElement("Total").setWidth("7%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%")); | ||||
| 			t.addElement(tr); | ||||
|  | ||||
| 			tr = new TR(); | ||||
| @ -149,10 +150,10 @@ public class HiddenFieldTampering extends LessonAdapter | ||||
|  | ||||
| 			ec.addElement(new BR()); | ||||
| 			tr = new TR(); | ||||
| 			tr.addElement(new TD().addElement("The total charged to your credit card:")); | ||||
| 			tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":")); | ||||
| 			tr.addElement(new TD().addElement(money.format(total))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart"))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()"))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart")))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("Purchase"), "validate()"))); | ||||
| 			t.addElement(tr); | ||||
|  | ||||
| 			ec.addElement(t); | ||||
| @ -169,10 +170,10 @@ public class HiddenFieldTampering extends LessonAdapter | ||||
| 				makeSuccess(s); | ||||
| 			} | ||||
|  | ||||
| 			ec.addElement(new P().addElement("Your total price is:")); | ||||
| 			ec.addElement(new P().addElement(WebGoatI18N.get("TotalPriceIs")+":")); | ||||
| 			ec.addElement(new B("$" + total)); | ||||
| 			ec.addElement(new BR()); | ||||
| 			ec.addElement(new P().addElement("This amount will be charged to your credit card immediately.")); | ||||
| 			ec.addElement(new P().addElement(WebGoatI18N.get("ThisAmountCharged"))); | ||||
| 		} | ||||
|  | ||||
| 		return (ec); | ||||
| @ -196,26 +197,15 @@ public class HiddenFieldTampering extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("This application is using hidden fields to transmit price information to the server."); | ||||
| 		hints.add("Use a program to intercept and change the value in the hidden field."); | ||||
| 		hints | ||||
| 				.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from " | ||||
| 						+ PRICE_TV + " to " + PRICE_TV_HACKED + "."); | ||||
|  | ||||
| 		 | ||||
| 		hints.add(WebGoatI18N.get("HiddenFieldTamperingHint1")); | ||||
| 		hints.add(WebGoatI18N.get("HiddenFieldTamperingHint2")); | ||||
| 		hints.add(WebGoatI18N.get("HiddenFieldTamperingHint3")+ PRICE_TV +WebGoatI18N.get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED ); | ||||
| 		 | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| 	 * Gets the instructions attribute of the HiddenFieldTampering object | ||||
| 	 *  | ||||
| 	 * @return The instructions value | ||||
| 	 */ | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already."; | ||||
|  | ||||
| 		return (instructions); | ||||
| 	} | ||||
| 	 | ||||
|  | ||||
| 	private final static Integer DEFAULT_RANKING = new Integer(50); | ||||
|  | ||||
|  | ||||
| @ -19,6 +19,7 @@ import org.apache.ecs.html.TR; | ||||
| import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -107,7 +108,7 @@ public class HtmlClues extends LessonAdapter | ||||
| 			{ | ||||
| 				makeSuccess(s); | ||||
|  | ||||
| 				s.setMessage("BINGO -- admin authenticated"); | ||||
| 				s.setMessage(WebGoatI18N.get("HtmlCluesBINGO")); | ||||
| 				ec.addElement(makeUser(s, "admin", "CREDENTIALS")); | ||||
| 			} | ||||
| 			else | ||||
| @ -138,8 +139,8 @@ public class HtmlClues extends LessonAdapter | ||||
| 	protected Element makeUser(WebSession s, String user, String method) throws Exception | ||||
| 	{ | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
| 		ec.addElement(new P().addElement("Welcome, " + user)); | ||||
| 		ec.addElement(new P().addElement("You have been authenticated with " + method)); | ||||
| 		ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser")+ user)); | ||||
| 		ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method)); | ||||
|  | ||||
| 		return (ec); | ||||
| 	} | ||||
| @ -158,12 +159,12 @@ public class HtmlClues extends LessonAdapter | ||||
|  | ||||
| 		TR tr = new TR(); | ||||
| 		tr.addElement(new TH() | ||||
| 				.addElement("Please sign in to your account.  See the OWASP admin if you do not have an account.") | ||||
| 				.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn")) | ||||
| 				.setColSpan(2).setAlign("left")); | ||||
| 		t.addElement(tr); | ||||
|  | ||||
| 		tr = new TR(); | ||||
| 		tr.addElement(new TD().addElement("*Required Fields").setWidth("30%")); | ||||
| 		tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%")); | ||||
| 		t.addElement(tr); | ||||
|  | ||||
| 		tr = new TR(); | ||||
| @ -172,8 +173,8 @@ public class HtmlClues extends LessonAdapter | ||||
|  | ||||
| 		TR row1 = new TR(); | ||||
| 		TR row2 = new TR(); | ||||
| 		row1.addElement(new TD(new B(new StringElement("*User Name: ")))); | ||||
| 		row2.addElement(new TD(new B(new StringElement("*Password: ")))); | ||||
| 		row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")+": ")))); | ||||
| 		row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")+": ")))); | ||||
|  | ||||
| 		Input input1 = new Input(Input.TEXT, USERNAME, ""); | ||||
| 		Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); | ||||
| @ -182,7 +183,7 @@ public class HtmlClues extends LessonAdapter | ||||
| 		t.addElement(row1); | ||||
| 		t.addElement(row2); | ||||
|  | ||||
| 		Element b = ECSFactory.makeButton("Login"); | ||||
| 		Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); | ||||
| 		t.addElement(new TR(new TD(b))); | ||||
| 		ec.addElement(t); | ||||
|  | ||||
| @ -197,24 +198,14 @@ public class HtmlClues extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("You can view the HTML source by selecting 'view source' in the browser menu."); | ||||
| 		hints.add("There are lots of clues in the HTML"); | ||||
| 		hints.add("Search for the word HIDDEN, look at URLs, look for comments."); | ||||
|  | ||||
| 		hints.add(WebGoatI18N.get("HtmlCluesHint1")); | ||||
| 		hints.add(WebGoatI18N.get("HtmlCluesHint2")); | ||||
| 		hints.add(WebGoatI18N.get("HtmlCluesHint3")); | ||||
| 		 | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| 	 * Gets the instructions attribute of the HtmlClues object | ||||
| 	 *  | ||||
| 	 * @return The instructions value | ||||
| 	 */ | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		String instructions = "Below is an example of a forms based authentication form.  Look for clues to help you log in."; | ||||
|  | ||||
| 		return (instructions); | ||||
| 	} | ||||
|  | ||||
| 	private final static Integer DEFAULT_RANKING = new Integer(30); | ||||
|  | ||||
|  | ||||
| @ -9,6 +9,7 @@ import org.apache.ecs.StringElement; | ||||
| import org.apache.ecs.html.Input; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -59,7 +60,7 @@ public class HttpBasics extends LessonAdapter | ||||
| 		StringBuffer person = null; | ||||
| 		try | ||||
| 		{ | ||||
| 			ec.addElement(new StringElement("Enter your name: ")); | ||||
| 			ec.addElement(new StringElement(WebGoatI18N.get("EnterYourName")+": ")); | ||||
|  | ||||
| 			person = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); | ||||
| 			person.reverse(); | ||||
| @ -67,7 +68,7 @@ public class HttpBasics extends LessonAdapter | ||||
| 			Input input = new Input(Input.TEXT, PERSON, person.toString()); | ||||
| 			ec.addElement(input); | ||||
|  | ||||
| 			Element b = ECSFactory.makeButton("Go!"); | ||||
| 			Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); | ||||
| 			ec.addElement(b); | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
|  | ||||
| @ -14,6 +14,7 @@ import org.apache.ecs.html.Input; | ||||
| import org.apache.ecs.html.P; | ||||
| import org.apache.ecs.html.TextArea; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -124,28 +125,28 @@ public class JavaScriptValidation extends LessonAdapter | ||||
| 			b.setType(Input.BUTTON); | ||||
| 			b.setValue("Submit"); | ||||
| 			b.addAttribute("onclick", "validate();"); | ||||
| 			ec.addElement(new Div().addElement(new StringElement("Field1: exactly three lowercase characters (" | ||||
| 			ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("3LowerCase")+"(" | ||||
| 					+ regex1 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(input1)); | ||||
| 			ec.addElement(new P()); | ||||
| 			ec.addElement(new Div().addElement(new StringElement("Field2: exactly three digits (" + regex2 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("Exactly3Digits")+"(" + regex2 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(input2)); | ||||
| 			ec.addElement(new P()); | ||||
| 			ec.addElement(new Div().addElement(new StringElement("Field3: letters, numbers, and space only (" + regex3 | ||||
| 			ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("LettersNumbersSpaceOnly")+"(" + regex3 | ||||
| 					+ ")"))); | ||||
| 			ec.addElement(new Div().addElement(input3)); | ||||
| 			ec.addElement(new P()); | ||||
| 			ec.addElement(new Div().addElement(new StringElement("Field4: enumeration of numbers (" + regex4 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("EnumerationOfNumbers")+" (" + regex4 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(input4)); | ||||
| 			ec.addElement(new P()); | ||||
| 			ec.addElement(new Div().addElement(new StringElement("Field5: simple zip code (" + regex5 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("SimpleZipCode")+ " (" + regex5 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(input5)); | ||||
| 			ec.addElement(new P()); | ||||
| 			ec.addElement(new Div() | ||||
| 					.addElement(new StringElement("Field6: zip with optional dash four (" + regex6 + ")"))); | ||||
| 					.addElement(new StringElement(WebGoatI18N.get("ZIPDashFour")+" (" + regex6 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(input6)); | ||||
| 			ec.addElement(new P()); | ||||
| 			ec.addElement(new Div().addElement(new StringElement("Field7: US phone number with or without dashes (" | ||||
| 			ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("USPhoneNumber")+ " (" | ||||
| 					+ regex7 + ")"))); | ||||
| 			ec.addElement(new Div().addElement(input7)); | ||||
| 			ec.addElement(new P()); | ||||
| @ -160,43 +161,43 @@ public class JavaScriptValidation extends LessonAdapter | ||||
| 			if (!pattern1.matcher(param1).matches()) | ||||
| 			{ | ||||
| 				err++; | ||||
| 				msg += "<BR>Server side validation violation: You succeeded for Field1."; | ||||
| 				msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field1."; | ||||
| 			} | ||||
|  | ||||
| 			if (!pattern2.matcher(param2).matches()) | ||||
| 			{ | ||||
| 				err++; | ||||
| 				msg += "<BR>Server side validation violation:  You succeeded for Field2."; | ||||
| 				msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field2."; | ||||
| 			} | ||||
|  | ||||
| 			if (!pattern3.matcher(param3).matches()) | ||||
| 			{ | ||||
| 				err++; | ||||
| 				msg += "<BR>Server side validation violation:  You succeeded for Field3."; | ||||
| 				msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field3."; | ||||
| 			} | ||||
|  | ||||
| 			if (!pattern4.matcher(param4).matches()) | ||||
| 			{ | ||||
| 				err++; | ||||
| 				msg += "<BR>Server side validation violation:  You succeeded for Field4."; | ||||
| 				msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field4."; | ||||
| 			} | ||||
|  | ||||
| 			if (!pattern5.matcher(param5).matches()) | ||||
| 			{ | ||||
| 				err++; | ||||
| 				msg += "<BR>Server side validation violation:  You succeeded for Field5."; | ||||
| 				msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field5."; | ||||
| 			} | ||||
|  | ||||
| 			if (!pattern6.matcher(param6).matches()) | ||||
| 			{ | ||||
| 				err++; | ||||
| 				msg += "<BR>Server side validation violation:  You succeeded for Field6."; | ||||
| 				msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field6."; | ||||
| 			} | ||||
|  | ||||
| 			if (!pattern7.matcher(param7).matches()) | ||||
| 			{ | ||||
| 				err++; | ||||
| 				msg += "<BR>Server side validation violation:  You succeeded for Field7."; | ||||
| 				msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field7."; | ||||
| 			} | ||||
|  | ||||
| 			if (err > 0) | ||||
| @ -212,7 +213,7 @@ public class JavaScriptValidation extends LessonAdapter | ||||
|  | ||||
| 		catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -237,27 +238,14 @@ public class JavaScriptValidation extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
|  | ||||
| 		hints.add("The validation is happening in your browser."); | ||||
| 		hints.add("Try modifying the values with a proxy after they leave your browser"); | ||||
| 		hints.add("Another way is to delete the JavaScript before you view the page."); | ||||
| 		hints.add(WebGoatI18N.get("JavaScriptValidationHint1")); | ||||
| 		hints.add(WebGoatI18N.get("JavaScriptValidationHint2")); | ||||
| 		hints.add(WebGoatI18N.get("JavaScriptValidationHint3")); | ||||
| 		 | ||||
|  | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| 	 * Gets the instructions attribute of the WeakAccessControl object | ||||
| 	 *  | ||||
| 	 * @return The instructions value | ||||
| 	 */ | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		String instructions = "This website performs both client and server side validation.  " | ||||
| 				+ "For this exercise, your job is to break the client side validation and send the " | ||||
| 				+ " website input that it wasn't expecting." | ||||
| 				+ "<b> You must break all 7 validators at the same time. </b>"; | ||||
| 		return (instructions); | ||||
| 	} | ||||
|  | ||||
| 	private final static Integer DEFAULT_RANKING = new Integer(120); | ||||
|  | ||||
|  | ||||
| @ -16,6 +16,7 @@ import org.apache.ecs.html.TD; | ||||
| import org.apache.ecs.html.TR; | ||||
| import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -165,9 +166,10 @@ public abstract class LessonAdapter extends AbstractLesson | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		StringBuffer buff = new StringBuffer(); | ||||
| 		String lang = s.getCurrrentLanguage(); | ||||
| 		try | ||||
| 		{ | ||||
| 			String fileName = s.getWebResource(getLessonPlanFileName()); | ||||
| 			String fileName = s.getWebResource(getLessonPlanFileName(lang)); | ||||
| 			if (fileName != null) | ||||
| 			{ | ||||
| 				BufferedReader in = new BufferedReader(new FileReader(fileName)); | ||||
| @ -241,7 +243,7 @@ public abstract class LessonAdapter extends AbstractLesson | ||||
| 	{ | ||||
| 		getLessonTracker(s).setCompleted(true); | ||||
|  | ||||
| 		s.setMessage("Congratulations. You have successfully completed this lesson."); | ||||
| 		s.setMessage(WebGoatI18N.get("LessonCompleted")); | ||||
|  | ||||
| 		return (null); | ||||
| 	} | ||||
|  | ||||
| @ -17,6 +17,7 @@ import org.apache.ecs.html.TR; | ||||
| import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -73,15 +74,15 @@ public class LogSpoofing extends LessonAdapter | ||||
| 			TR row2 = new TR(); | ||||
| 			TR row3 = new TR(); | ||||
|  | ||||
| 			row1.addElement(new TD(new StringElement("Username: "))); | ||||
| 			row1.addElement(new TD(new StringElement(WebGoatI18N.get("UserName")+":"))); | ||||
| 			Input username = new Input(Input.TEXT, USERNAME, ""); | ||||
| 			row1.addElement(new TD(username)); | ||||
|  | ||||
| 			row2.addElement(new TD(new StringElement("Password: "))); | ||||
| 			row2.addElement(new TD(new StringElement(WebGoatI18N.get("Password")+": "))); | ||||
| 			Input password = new Input(Input.PASSWORD, PASSWORD, ""); | ||||
| 			row2.addElement(new TD(password)); | ||||
|  | ||||
| 			Element b = ECSFactory.makeButton("Login"); | ||||
| 			Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); | ||||
| 			row3.addElement(new TD(new StringElement("  "))); | ||||
| 			row3.addElement(new TD(b)).setAlign("right"); | ||||
|  | ||||
| @ -102,7 +103,7 @@ public class LogSpoofing extends LessonAdapter | ||||
|  | ||||
| 			Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); | ||||
| 			TR row4 = new TR(); | ||||
| 			row4.addElement(new TD(new PRE("Login failed for username: " + inputUsername))).setBgColor(HtmlColor.GRAY); | ||||
| 			row4.addElement(new TD(new PRE(WebGoatI18N.get("LoginFailedForUserName")+": " + inputUsername))).setBgColor(HtmlColor.GRAY); | ||||
|  | ||||
| 			t2.addElement(row4); | ||||
|  | ||||
| @ -111,7 +112,7 @@ public class LogSpoofing extends LessonAdapter | ||||
| 			if (inputUsername.length() != 0 | ||||
| 					&& inputUsername.toUpperCase().indexOf( | ||||
| 															System.getProperty("line.separator") | ||||
| 																	+ "LOGIN SUCCEEDED FOR USERNAME:") >= 0) | ||||
| 																	+ WebGoatI18N.get("LoginSucceededForUserName")+":") >= 0) | ||||
| 			{ | ||||
| 				makeSuccess(s); | ||||
| 			} | ||||
| @ -134,12 +135,10 @@ public class LogSpoofing extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("Try to fool the human eye by using new lines."); | ||||
| 		hints.add("Use CR (%0d) and LF (%0a) for a new line."); | ||||
| 		hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin"); | ||||
| 		hints | ||||
| 				.add("Try: Smith%0d%0aLogin Succeeded for username: admin<script>alert(document.cookie)</script>"); | ||||
|  | ||||
| 		hints.add(WebGoatI18N.get("LogSpoofingHint1")); | ||||
| 		hints.add(WebGoatI18N.get("LogSpoofingHint2")); | ||||
| 		hints.add(WebGoatI18N.get("LogSpoofingHint3")); | ||||
| 		hints.add(WebGoatI18N.get("LogSpoofingHint4")); | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
|  | ||||
| @ -16,6 +16,7 @@ import org.apache.ecs.html.TR; | ||||
| import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -66,7 +67,7 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
|  | ||||
| 		try | ||||
| 		{ | ||||
| 			String dir = s.getContext().getRealPath("/lesson_plans"); | ||||
| 			String dir = s.getContext().getRealPath("/lesson_plans/English"); | ||||
| 			File d = new File(dir); | ||||
|  | ||||
| 			Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center"); | ||||
| @ -77,8 +78,8 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 			} | ||||
|  | ||||
| 			String[] list = d.list(); | ||||
| 			String listing = " <p><B>Current Directory is:</B> " + Encoding.urlDecode(dir) | ||||
| 					+ "<br><br> Choose the file to view:</p>"; | ||||
| 			String listing = " <p><B>"+WebGoatI18N.get("CurrentDirectory")+"</B> " + Encoding.urlDecode(dir) | ||||
| 					+ "<br><br>"+WebGoatI18N.get("ChooseFileToView")+"</p>"; | ||||
|  | ||||
| 			TR tr = new TR(); | ||||
| 			tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing))); | ||||
| @ -86,7 +87,7 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
|  | ||||
| 			tr = new TR(); | ||||
| 			tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton("View File"))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("ViewFile")))); | ||||
| 			t.addElement(tr); | ||||
|  | ||||
| 			ec.addElement(t); | ||||
| @ -105,17 +106,13 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 				// file | ||||
| 				if (upDirCount(file) == 3 && !file.endsWith("LICENSE")) | ||||
| 				{ | ||||
| 					s.setMessage("Access denied"); | ||||
| 					s.setMessage("It appears that you are on the right track.  " | ||||
| 							+ "Commands that may compromise the operating system have been disabled.  " | ||||
| 							+ "You are only allowed to see one file in this directory. "); | ||||
| 					s.setMessage(WebGoatI18N.get("AccessDenied")); | ||||
| 					s.setMessage(WebGoatI18N.get("ItAppears1")); | ||||
| 				} | ||||
| 				else if (upDirCount(file) > 3) | ||||
| 				{ | ||||
| 					s.setMessage("Access denied"); | ||||
| 					s.setMessage("It appears that you are on the right track.  " | ||||
| 							+ "Commands that may compromise the operating system have been disabled.  " | ||||
| 							+ "You are only allowed to see files in the webgoat directory. "); | ||||
| 					s.setMessage(WebGoatI18N.get("AccessDenied")); | ||||
| 					s.setMessage(WebGoatI18N.get("ItAppears2")); | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| @ -134,13 +131,13 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 			if (s.isDebug()) | ||||
| 			{ | ||||
|  | ||||
| 				s.setMessage("File: " + file); | ||||
| 				s.setMessage("Dir: " + dir); | ||||
| 				s.setMessage(WebGoatI18N.get("File") + file); | ||||
| 				s.setMessage(WebGoatI18N.get("Dir")+ dir); | ||||
| 				// s.setMessage("File URI: " + "file:///" + | ||||
| 				// (Encoding.urlEncode(dir) + "\\" + | ||||
| 				// Encoding.urlEncode(file)).replaceAll("\\\\","/")); | ||||
| 				s.setMessage("  - isFile(): " + f.isFile()); | ||||
| 				s.setMessage("  - exists(): " + f.exists()); | ||||
| 				s.setMessage(WebGoatI18N.get("IsFile")+ f.isFile()); | ||||
| 				s.setMessage(WebGoatI18N.get("Exists") + f.exists()); | ||||
| 			} | ||||
| 			if (!illegalCommand) | ||||
| 			{ | ||||
| @ -150,21 +147,21 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 					// directory listing we gave them. | ||||
| 					if (upDirCount(file) >= 1) | ||||
| 					{ | ||||
| 						s.setMessage("Congratulations! Access to file allowed"); | ||||
| 						s.setMessage(WebGoatI18N.get("CongratsAccessToFileAllowed")); | ||||
| 						s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); | ||||
| 						makeSuccess(s); | ||||
| 					} | ||||
| 					else | ||||
| 					{ | ||||
| 						s.setMessage("File is already in allowed directory - try again!"); | ||||
| 						s.setMessage(WebGoatI18N.get("FileInAllowedDirectory")); | ||||
| 						s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); | ||||
| 					} | ||||
| 				} | ||||
| 				else if (file != null && file.length() != 0) | ||||
| 				{ | ||||
| 					s | ||||
| 							.setMessage("Access to file/directory \"" + Encoding.urlDecode(f.getCanonicalPath()) | ||||
| 									+ "\" denied"); | ||||
| 							.setMessage(WebGoatI18N.get("AccessToFileDenied1") + Encoding.urlDecode(f.getCanonicalPath()) | ||||
| 									+  WebGoatI18N.get("AccessToFileDenied2")); | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| @ -178,11 +175,11 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 					ec.addElement(new BR()); | ||||
| 					ec.addElement(new BR()); | ||||
| 					ec.addElement(new HR().setWidth("100%")); | ||||
| 					ec.addElement("Viewing file: " + f.getCanonicalPath()); | ||||
| 					ec.addElement(WebGoatI18N.get("ViewingFile")+ f.getCanonicalPath()); | ||||
| 					ec.addElement(new HR().setWidth("100%")); | ||||
| 					if (f.length() > 80000) { throw new Exception("File is too large"); } | ||||
| 					if (f.length() > 80000) { throw new Exception(WebGoatI18N.get("FileTooLarge")); } | ||||
| 					String fileData = getFileText(new BufferedReader(new FileReader(f)), false); | ||||
| 					if (fileData.indexOf(0x00) != -1) { throw new Exception("File is binary"); } | ||||
| 					if (fileData.indexOf(0x00) != -1) { throw new Exception(WebGoatI18N.get("FileBinary")); } | ||||
| 					ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>") | ||||
| 							.replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>") | ||||
| 							.replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "<").replaceAll("<(r|u|t)", | ||||
| @ -190,13 +187,13 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 				} catch (Exception e) | ||||
| 				{ | ||||
| 					ec.addElement(new BR()); | ||||
| 					ec.addElement("The following error occurred while accessing the file: <"); | ||||
| 					ec.addElement(WebGoatI18N.get("TheFollowingError")); | ||||
| 					ec.addElement(e.getMessage()); | ||||
| 				} | ||||
| 			} | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating")+ this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -233,11 +230,11 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("Most operating systems allow special characters in the path."); | ||||
| 		hints.add("Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory"); | ||||
| 		hints.add("Try .. in the path"); | ||||
| 		hints.add("Try ..\\..\\..\\LICENSE"); | ||||
|  | ||||
| 		hints.add(WebGoatI18N.get("PathBasedAccessControlHint1")); | ||||
| 		hints.add(WebGoatI18N.get("PathBasedAccessControlHint2")); | ||||
| 		hints.add(WebGoatI18N.get("PathBasedAccessControlHint3")); | ||||
| 		hints.add(WebGoatI18N.get("PathBasedAccessControlHint4")); | ||||
| 		 | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| @ -248,11 +245,7 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
| 	 */ | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		String instructions = "The '" + s.getUserName() + "' user has access to all the files in the " | ||||
| 				+ "lesson_plans directory.  Try to break the access control mechanism and access a " | ||||
| 				+ "resource that is not in the listed directory.  After selecting a file to view, WebGoat " | ||||
| 				+ "will report if access to the file was granted.  An interesting file to try and obtain might " | ||||
| 				+ "be a file like tomcat/conf/tomcat-users.xml"; | ||||
| 		String instructions = WebGoatI18N.get("PathBasedAccessControlInstr1")+ s.getUserName() + WebGoatI18N.get("PathBasedAccessControlInstr2"); | ||||
|  | ||||
| 		return (instructions); | ||||
| 	} | ||||
|  | ||||
| @ -19,6 +19,7 @@ import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.HtmlEncoder; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -87,13 +88,13 @@ public class ReflectedXSS extends LessonAdapter | ||||
| 					makeSuccess(s); | ||||
| 				} | ||||
|  | ||||
| 				s.setMessage("Whoops! You entered " + param1 + " instead of your three digit code.  Please try again."); | ||||
| 				s.setMessage(WebGoatI18N.get("ReflectedXSSWhoops1")+ param1 + WebGoatI18N.get("ReflectedXSSWhoops2")); | ||||
| 			} | ||||
|  | ||||
| 			// FIXME: encode output of field2, then s.setMessage( field2 ); | ||||
|  | ||||
| 			ec.addElement(new HR().setWidth("90%")); | ||||
| 			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart "))); | ||||
| 			ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart")))); | ||||
| 			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); | ||||
|  | ||||
| 			if (s.isColor()) | ||||
| @ -102,10 +103,10 @@ public class ReflectedXSS extends LessonAdapter | ||||
| 			} | ||||
|  | ||||
| 			TR tr = new TR(); | ||||
| 			tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%")); | ||||
| 			tr.addElement(new TH().addElement("Price").setWidth("10%")); | ||||
| 			tr.addElement(new TH().addElement("Quantity").setWidth("3%")); | ||||
| 			tr.addElement(new TH().addElement("Total").setWidth("7%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%")); | ||||
| 			tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%")); | ||||
| 			t.addElement(tr); | ||||
|  | ||||
| 			tr = new TR(); | ||||
| @ -170,24 +171,24 @@ public class ReflectedXSS extends LessonAdapter | ||||
| 			ec.addElement(new BR()); | ||||
|  | ||||
| 			tr = new TR(); | ||||
| 			tr.addElement(new TD().addElement("The total charged to your credit card:")); | ||||
| 			tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":")); | ||||
| 			tr.addElement(new TD().addElement(money.format(runningTotal))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart"))); | ||||
| 			tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart")))); | ||||
| 			t.addElement(tr); | ||||
| 			tr = new TR(); | ||||
| 			tr.addElement(new TD().addElement(" ").setColSpan(2)); | ||||
| 			t.addElement(tr); | ||||
| 			tr = new TR(); | ||||
| 			tr.addElement(new TD().addElement("Enter your credit card number:")); | ||||
| 			tr.addElement(new TD().addElement(WebGoatI18N.get("EnterCreditCard")+":")); | ||||
| 			tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2))); | ||||
| 			t.addElement(tr); | ||||
| 			tr = new TR(); | ||||
| 			tr.addElement(new TD().addElement("Enter your three digit access code:")); | ||||
| 			tr.addElement(new TD().addElement(WebGoatI18N.get("Enter3DigitCode")+":")); | ||||
| 			tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>")); | ||||
| 			// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1))); | ||||
| 			t.addElement(tr); | ||||
|  | ||||
| 			Element b = ECSFactory.makeButton("Purchase"); | ||||
| 			Element b = ECSFactory.makeButton(WebGoatI18N.get("Purchase")); | ||||
| 			tr = new TR(); | ||||
| 			tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center")); | ||||
| 			t.addElement(tr); | ||||
| @ -197,7 +198,7 @@ public class ReflectedXSS extends LessonAdapter | ||||
| 			ec.addElement(new HR().setWidth("90%")); | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
| 		return (ec); | ||||
| @ -221,16 +222,12 @@ public class ReflectedXSS extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("A simple script is <SCRIPT>alert('bang!');</SCRIPT>."); | ||||
| 		hints.add("Can you get the script to disclose the JSESSIONID cookie?"); | ||||
| 		hints.add("You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie"); | ||||
| 		hints.add("Can you get the script to access the credit card form field?"); | ||||
| 		hints | ||||
| 				.add("Try a cross site trace (XST) Command:<br>" | ||||
| 						+ "<script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1)" | ||||
| 						+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);" | ||||
| 						+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); " | ||||
| 						+ "document.write(str1);}</script>"); | ||||
| 		hints.add(WebGoatI18N.get("ReflectedXSSHint1")); | ||||
| 		hints.add(WebGoatI18N.get("ReflectedXSSHint2")); | ||||
| 		hints.add(WebGoatI18N.get("ReflectedXSSHint3")); | ||||
| 		hints.add(WebGoatI18N.get("ReflectedXSSHint4")); | ||||
| 		hints.add(WebGoatI18N.get("ReflectedXSSHint5")); | ||||
| 		 | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| @ -238,16 +235,7 @@ public class ReflectedXSS extends LessonAdapter | ||||
| 	// = new | ||||
| 	// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); | ||||
| 	// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script> | ||||
| 	/** | ||||
| 	 * Gets the instructions attribute of the WeakAccessControl object | ||||
| 	 *  | ||||
| 	 * @return The instructions value | ||||
| 	 */ | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad."; | ||||
| 		return (instructions); | ||||
| 	} | ||||
| 	 | ||||
|  | ||||
| 	private final static Integer DEFAULT_RANKING = new Integer(120); | ||||
|  | ||||
|  | ||||
| @ -6,6 +6,7 @@ import java.util.List; | ||||
| import org.apache.ecs.Element; | ||||
| import org.apache.ecs.ElementContainer; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -56,11 +57,6 @@ public class RemoteAdminFlaw extends LessonAdapter | ||||
| 		{ | ||||
| 			makeSuccess(s); | ||||
| 		} | ||||
| 		else | ||||
| 		{ | ||||
| 			ec.addElement("WebGoat has an admin interface.  To 'complete' this lesson you must figure " | ||||
| 					+ "out how to access the administrative interface for WebGoat."); | ||||
| 		} | ||||
| 		return ec; | ||||
|  | ||||
| 	} | ||||
| @ -83,12 +79,11 @@ public class RemoteAdminFlaw extends LessonAdapter | ||||
| 	public List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("WebGoat has 2 admin interfaces."); | ||||
| 		hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'"); | ||||
| 		hints | ||||
| 				.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'"); | ||||
| 		hints.add("Follow the Source!"); | ||||
| 		hints.add("On success you will see new submenu items in the menupoint 'Admin Functions'"); | ||||
| 		hints.add(WebGoatI18N.get("RemoteAdminFlawHint1")); | ||||
| 		hints.add(WebGoatI18N.get("RemoteAdminFlawHint2")); | ||||
| 		hints.add(WebGoatI18N.get("RemoteAdminFlawHint3")); | ||||
| 		hints.add(WebGoatI18N.get("RemoteAdminFlawHint4")); | ||||
| 		hints.add(WebGoatI18N.get("RemoteAdminFlawHint5")); | ||||
|  | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| @ -22,6 +22,7 @@ import org.apache.ecs.html.Select; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -129,18 +130,15 @@ public class SqlNumericInjection extends SequentialLessonAdapter | ||||
| 						makeSuccess(s); | ||||
| 						getLessonTracker(s).setStage(2); | ||||
| 						StringBuffer msg = new StringBuffer(); | ||||
|  | ||||
| 						msg.append("Bet you can't do it again! "); | ||||
| 						msg.append("This lesson has detected your successfull attack "); | ||||
| 						msg.append("and has now switched to a defensive mode. "); | ||||
| 						msg.append("Try again to attack a parameterized query."); | ||||
| 						 | ||||
| 						msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage")); | ||||
|  | ||||
| 						s.setMessage(msg.toString()); | ||||
| 					} | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| 					ec.addElement("No results matched.  Try Again."); | ||||
| 					ec.addElement(WebGoatI18N.get("NoResultsMatched")); | ||||
| 				} | ||||
|  | ||||
| 			} catch (SQLException sqle) | ||||
| @ -149,7 +147,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter | ||||
| 			} | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -160,8 +158,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter | ||||
| 	{ | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
|  | ||||
| 		ec.addElement("Now that you have successfully performed an SQL injection, try the same " | ||||
| 				+ " type of attack on a parameterized query."); | ||||
| 		ec.addElement(WebGoatI18N.get("NumericSqlInjectionSecondStage2")); | ||||
| 		// if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart")) | ||||
| 		// { | ||||
| 		// getLessonTracker(s).setStage(1); | ||||
| @ -205,14 +202,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| 					ec.addElement("No results matched.  Try Again."); | ||||
| 					ec.addElement(WebGoatI18N.get("NoResultsMatched")); | ||||
| 				} | ||||
| 			} catch (SQLException sqle) | ||||
| 			{ | ||||
| 				ec.addElement(new P().addElement(sqle.getMessage())); | ||||
| 			} catch (NumberFormatException npe) | ||||
| 			{ | ||||
| 				ec.addElement(new P().addElement("Error parsing station as a number: " + npe.getMessage())); | ||||
| 				ec.addElement(new P().addElement(WebGoatI18N.get("ErrorParsingAsNumber") + npe.getMessage())); | ||||
| 			} | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| @ -227,7 +224,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter | ||||
| 	{ | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
|  | ||||
| 		ec.addElement(new P().addElement("Select your local weather station: ")); | ||||
| 		ec.addElement(new P().addElement(WebGoatI18N.get("SelectYourStation"))); | ||||
|  | ||||
| 		Map<String, String> stations = getStations(s); | ||||
| 		Select select = new Select(STATION_ID); | ||||
| @ -240,7 +237,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter | ||||
| 		ec.addElement(select); | ||||
| 		ec.addElement(new P()); | ||||
|  | ||||
| 		Element b = ECSFactory.makeButton("Go!"); | ||||
| 		Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); | ||||
| 		ec.addElement(b); | ||||
|  | ||||
| 		return ec; | ||||
| @ -310,13 +307,12 @@ public class SqlNumericInjection extends SequentialLessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints | ||||
| 				.add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command."); | ||||
| 		hints.add("This is the code for the query being built and issued by WebGoat:<br><br> " | ||||
| 				+ "\"SELECT * FROM weather_data WHERE station = \" + station "); | ||||
| 		hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. " | ||||
| 				+ "Try appending a SQL statement that always resolves to true."); | ||||
| 		hints.add("Try to intercept the post request with WebScarab and replace the station " + "with [ 101 OR 1 = 1 ]."); | ||||
| 		hints.add(WebGoatI18N.get("SqlNumericInjectionHint1")); | ||||
| 		hints.add(WebGoatI18N.get("SqlNumericInjectionHint2")); | ||||
| 		hints.add(WebGoatI18N.get("SqlNumericInjectionHint3")); | ||||
| 		hints.add(WebGoatI18N.get("SqlNumericInjectionHint4")); | ||||
| 		 | ||||
| 		 | ||||
|  | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| @ -18,6 +18,7 @@ import org.apache.ecs.html.PRE; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.ECSFactory; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -113,17 +114,14 @@ public class SqlStringInjection extends SequentialLessonAdapter | ||||
|  | ||||
| 						StringBuffer msg = new StringBuffer(); | ||||
|  | ||||
| 						msg.append("Bet you can't do it again! "); | ||||
| 						msg.append("This lesson has detected your successful attack "); | ||||
| 						msg.append("and has now switched to a defensive mode. "); | ||||
| 						msg.append("Try again to attack a parameterized query."); | ||||
| 						msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage1")); | ||||
|  | ||||
| 						s.setMessage(msg.toString()); | ||||
| 					} | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| 					ec.addElement("No results matched.  Try Again."); | ||||
| 					ec.addElement(WebGoatI18N.get("NoResultsMatched")); | ||||
| 				} | ||||
| 			} catch (SQLException sqle) | ||||
| 			{ | ||||
| @ -132,7 +130,7 @@ public class SqlStringInjection extends SequentialLessonAdapter | ||||
| 			} | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -143,9 +141,7 @@ public class SqlStringInjection extends SequentialLessonAdapter | ||||
| 	{ | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
|  | ||||
| 		ec.addElement("Now that you have successfully performed an SQL injection, try the same " | ||||
| 				+ " type of attack on a parameterized query.  Restart the lesson if you wish " | ||||
| 				+ " to return to the injectable query"); | ||||
| 		ec.addElement(WebGoatI18N.get("StringSqlInjectioNSecondStage")); | ||||
| 		if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart")) | ||||
| 		{ | ||||
| 			getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1"); | ||||
| @ -184,7 +180,7 @@ public class SqlStringInjection extends SequentialLessonAdapter | ||||
| 				} | ||||
| 				else | ||||
| 				{ | ||||
| 					ec.addElement("No results matched.  Try Again."); | ||||
| 					ec.addElement(WebGoatI18N.get("NoResultsMatched")); | ||||
| 				} | ||||
| 			} catch (SQLException sqle) | ||||
| 			{ | ||||
| @ -192,7 +188,7 @@ public class SqlStringInjection extends SequentialLessonAdapter | ||||
| 			} | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -202,13 +198,13 @@ public class SqlStringInjection extends SequentialLessonAdapter | ||||
| 	protected Element makeAccountLine(WebSession s) | ||||
| 	{ | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
| 		ec.addElement(new P().addElement("Enter your last name: ")); | ||||
| 		ec.addElement(new P().addElement(WebGoatI18N.get("EnterLastName"))); | ||||
|  | ||||
| 		accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name"); | ||||
| 		Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString()); | ||||
| 		ec.addElement(input); | ||||
|  | ||||
| 		Element b = ECSFactory.makeButton("Go!"); | ||||
| 		Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); | ||||
| 		ec.addElement(b); | ||||
|  | ||||
| 		return ec; | ||||
| @ -233,12 +229,11 @@ public class SqlStringInjection extends SequentialLessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command."); | ||||
| 		hints.add("This is the code for the query being built and issued by WebGoat:<br><br> " | ||||
| 				+ "\"SELECT * FROM user_data WHERE last_name = \" + accountName "); | ||||
| 		hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR." | ||||
| 				+ "Try appending a SQL statement that always resolves to true"); | ||||
| 		hints.add("Try entering [ smith' OR '1' = '1 ]."); | ||||
| 		 | ||||
| 		hints.add(WebGoatI18N.get("SqlStringInjectionHint1")); | ||||
| 		hints.add(WebGoatI18N.get("SqlStringInjectionHint2")); | ||||
| 		hints.add(WebGoatI18N.get("SqlStringInjectionHint3")); | ||||
| 		hints.add(WebGoatI18N.get("SqlStringInjectionHint4")); | ||||
|  | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| @ -23,6 +23,7 @@ import org.apache.ecs.html.Table; | ||||
| import org.apache.ecs.html.TextArea; | ||||
| import org.owasp.webgoat.session.*; | ||||
| import org.owasp.webgoat.util.HtmlEncoder; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -114,7 +115,7 @@ public class StoredXss extends LessonAdapter | ||||
| 			// like "Characters found after end of SQL statement." | ||||
| 			if (e.getMessage().indexOf("No ResultSet was produced") == -1) | ||||
| 			{ | ||||
| 				s.setMessage("Could not add message to database"); | ||||
| 				s.setMessage(WebGoatI18N.get("CouldNotAddMessage")); | ||||
| 			} | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
| @ -159,11 +160,12 @@ public class StoredXss extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("You can put HTML tags in your message."); | ||||
| 		hints.add("Bury a SCRIPT tag in the message to attack anyone who reads it."); | ||||
| 		hints | ||||
| 				.add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in the message field."); | ||||
| 		hints.add("Enter this: <script>alert(document.cookie);</script> in the message field."); | ||||
| 		hints.add(WebGoatI18N.get("StoredXssHint1")); | ||||
| 		hints.add(WebGoatI18N.get("StoredXssHint1")); | ||||
| 		hints.add(WebGoatI18N.get("StoredXssHint1")); | ||||
| 		hints.add(WebGoatI18N.get("StoredXssHint1")); | ||||
| 		 | ||||
| 		 | ||||
|  | ||||
| 		return hints; | ||||
| 	} | ||||
| @ -217,14 +219,14 @@ public class StoredXss extends LessonAdapter | ||||
|  | ||||
| 			if ((results != null) && results.first()) | ||||
| 			{ | ||||
| 				ec.addElement(new H1("Message Contents For: " + results.getString(TITLE_COL))); | ||||
| 				ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor")+": " + results.getString(TITLE_COL))); | ||||
| 				Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); | ||||
| 				TR row1 = new TR(new TD(new B(new StringElement("Title:")))); | ||||
| 				TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title")+":")))); | ||||
| 				row1.addElement(new TD(new StringElement(results.getString(TITLE_COL)))); | ||||
| 				t.addElement(row1); | ||||
|  | ||||
| 				String messageData = results.getString(MESSAGE_COL); | ||||
| 				TR row2 = new TR(new TD(new B(new StringElement("Message:")))); | ||||
| 				TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message")+":")))); | ||||
| 				row2.addElement(new TD(new StringElement(messageData))); | ||||
| 				t.addElement(row2); | ||||
|  | ||||
| @ -234,7 +236,7 @@ public class StoredXss extends LessonAdapter | ||||
| 				// message, | ||||
| 				// they can see that the message is attributed to that user | ||||
|  | ||||
| 				TR row3 = new TR(new TD(new StringElement("Posted By:"))); | ||||
| 				TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy")+":"))); | ||||
| 				row3.addElement(new TD(new StringElement(results.getString(USER_COL)))); | ||||
| 				t.addElement(row3); | ||||
|  | ||||
| @ -253,12 +255,12 @@ public class StoredXss extends LessonAdapter | ||||
| 			{ | ||||
| 				if (messageNum != 0) | ||||
| 				{ | ||||
| 					ec.addElement(new P().addElement("Could not find message " + messageNum)); | ||||
| 					ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum)); | ||||
| 				} | ||||
| 			} | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -277,14 +279,14 @@ public class StoredXss extends LessonAdapter | ||||
| 		Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); | ||||
| 		TR row1 = new TR(); | ||||
| 		TR row2 = new TR(); | ||||
| 		row1.addElement(new TD(new StringElement("Title: "))); | ||||
| 		row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title")+": "))); | ||||
|  | ||||
| 		Input inputTitle = new Input(Input.TEXT, TITLE, ""); | ||||
| 		row1.addElement(new TD(inputTitle)); | ||||
|  | ||||
| 		TD item1 = new TD(); | ||||
| 		item1.setVAlign("TOP"); | ||||
| 		item1.addElement(new StringElement("Message: ")); | ||||
| 		item1.addElement(new StringElement(WebGoatI18N.get("Message")+": ")); | ||||
| 		row2.addElement(item1); | ||||
|  | ||||
| 		TD item2 = new TD(); | ||||
| @ -294,7 +296,7 @@ public class StoredXss extends LessonAdapter | ||||
| 		t.addElement(row1); | ||||
| 		t.addElement(row2); | ||||
|  | ||||
| 		Element b = ECSFactory.makeButton("Submit"); | ||||
| 		Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit")); | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
| 		ec.addElement(t); | ||||
| 		ec.addElement(new P().addElement(b)); | ||||
| @ -343,11 +345,11 @@ public class StoredXss extends LessonAdapter | ||||
| 			} | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error while getting message list."); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList")); | ||||
| 		} | ||||
|  | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
| 		ec.addElement(new H1("Message List")); | ||||
| 		ec.addElement(new H1(WebGoatI18N.get("MessageList"))); | ||||
| 		ec.addElement(t); | ||||
|  | ||||
| 		return (ec); | ||||
|  | ||||
| @ -18,6 +18,7 @@ import org.apache.ecs.html.TH; | ||||
| import org.apache.ecs.html.TR; | ||||
| import org.apache.ecs.html.Table; | ||||
| import org.owasp.webgoat.session.*; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -103,7 +104,7 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
| 			} | ||||
| 			else | ||||
| 			{ | ||||
| 				s.setMessage("Invalid cookie"); | ||||
| 				s.setMessage(WebGoatI18N.get("InvalidCookie")); | ||||
| 				s.eatCookies(); | ||||
| 			} | ||||
| 		} | ||||
| @ -141,14 +142,14 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
| 			if (loginID != "") | ||||
| 			{ | ||||
| 				Cookie newCookie = new Cookie(AUTHCOOKIE, loginID); | ||||
| 				s.setMessage("Your identity has been remembered"); | ||||
| 				s.setMessage(WebGoatI18N.get("IdentityRemembered")); | ||||
| 				s.getResponse().addCookie(newCookie); | ||||
|  | ||||
| 				return (username); | ||||
| 			} | ||||
| 			else | ||||
| 			{ | ||||
| 				s.setMessage("Invalid username and password entered."); | ||||
| 				s.setMessage(WebGoatI18N.get("InvalidUsernameAndPassword")); | ||||
| 			} | ||||
| 		} | ||||
|  | ||||
| @ -168,7 +169,7 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
|  | ||||
| 		if (logout) | ||||
| 		{ | ||||
| 			s.setMessage("Goodbye!  Your password has been forgotten"); | ||||
| 			s.setMessage(WebGoatI18N.get("PasswordForgotten")); | ||||
| 			s.eatCookies(); | ||||
|  | ||||
| 			return (makeLogin(s)); | ||||
| @ -185,7 +186,7 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
| 			if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); } | ||||
| 		} catch (Exception e) | ||||
| 		{ | ||||
| 			s.setMessage("Error generating " + this.getClass().getName()); | ||||
| 			s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); | ||||
| 			e.printStackTrace(); | ||||
| 		} | ||||
|  | ||||
| @ -250,27 +251,16 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
| 	protected List<String> getHints(WebSession s) | ||||
| 	{ | ||||
| 		List<String> hints = new ArrayList<String>(); | ||||
| 		hints.add("The server authenticates the user using a cookie, if you send the right cookie."); | ||||
| 		hints.add("Is the AuthCookie value guessable knowing the username and password?"); | ||||
| 		hints.add("Add 'AuthCookie=********;' to the Cookie: header using " | ||||
| 				+ "<A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>."); | ||||
| 		hints.add("After logging in as webgoat a cookie is added. 65432ubphcfx<br/>" | ||||
| 				+ "After logging in as aspect a cookie is added. 65432udfqtb<br/>" | ||||
| 				+ "Is there anything similar about the cookies and the login names?"); | ||||
| 		hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints1")); | ||||
| 		hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints2")); | ||||
| 		hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints3")); | ||||
| 		hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints4")); | ||||
| 		 | ||||
| 		 | ||||
| 		return hints; | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| 	 * Gets the instructions attribute of the WeakAuthenticationCookie object | ||||
| 	 *  | ||||
| 	 * @return The instructions value | ||||
| 	 */ | ||||
| 	public String getInstructions(WebSession s) | ||||
| 	{ | ||||
| 		String instructions = "Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice."; | ||||
|  | ||||
| 		return (instructions); | ||||
| 	} | ||||
|  | ||||
| 	private final static Integer DEFAULT_RANKING = new Integer(90); | ||||
|  | ||||
| @ -300,7 +290,7 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
| 	{ | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
|  | ||||
| 		ec.addElement(new H1().addElement("Sign In ")); | ||||
| 		ec.addElement(new H1().addElement(WebGoatI18N.get("SignIn"))); | ||||
| 		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center"); | ||||
|  | ||||
| 		if (s.isColor()) | ||||
| @ -310,12 +300,12 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
|  | ||||
| 		TR tr = new TR(); | ||||
| 		tr.addElement(new TH() | ||||
| 				.addElement("Please sign in to your account.  See the OWASP admin if you do not have an account.") | ||||
| 				.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn")) | ||||
| 				.setColSpan(2).setAlign("left")); | ||||
| 		t.addElement(tr); | ||||
|  | ||||
| 		tr = new TR(); | ||||
| 		tr.addElement(new TD().addElement("*Required Fields").setWidth("30%")); | ||||
| 		tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%")); | ||||
| 		t.addElement(tr); | ||||
|  | ||||
| 		tr = new TR(); | ||||
| @ -324,8 +314,8 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
|  | ||||
| 		TR row1 = new TR(); | ||||
| 		TR row2 = new TR(); | ||||
| 		row1.addElement(new TD(new B(new StringElement("*User Name: ")))); | ||||
| 		row2.addElement(new TD(new B(new StringElement("*Password: ")))); | ||||
| 		row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName"))))); | ||||
| 		row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password"))))); | ||||
|  | ||||
| 		Input input1 = new Input(Input.TEXT, USERNAME, ""); | ||||
| 		Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); | ||||
| @ -334,7 +324,7 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
| 		t.addElement(row1); | ||||
| 		t.addElement(row2); | ||||
|  | ||||
| 		Element b = ECSFactory.makeButton("Login"); | ||||
| 		Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); | ||||
| 		t.addElement(new TR(new TD(b))); | ||||
| 		ec.addElement(t); | ||||
|  | ||||
| @ -357,10 +347,10 @@ public class WeakAuthenticationCookie extends LessonAdapter | ||||
| 	protected Element makeUser(WebSession s, String user, String method) throws Exception | ||||
| 	{ | ||||
| 		ElementContainer ec = new ElementContainer(); | ||||
| 		ec.addElement(new P().addElement("Welcome, " + user)); | ||||
| 		ec.addElement(new P().addElement("You have been authenticated with " + method)); | ||||
| 		ec.addElement(new P().addElement(ECSFactory.makeLink("Logout", LOGOUT, true))); | ||||
| 		ec.addElement(new P().addElement(ECSFactory.makeLink("Refresh", "", ""))); | ||||
| 		ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser") + user)); | ||||
| 		ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method)); | ||||
| 		ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Logout"), LOGOUT, true))); | ||||
| 		ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Refresh"), "", ""))); | ||||
|  | ||||
| 		return (ec); | ||||
| 	} | ||||
|  | ||||
| @ -4,6 +4,7 @@ package org.owasp.webgoat.session; | ||||
| import java.io.File; | ||||
| import java.io.IOException; | ||||
| import java.util.ArrayList; | ||||
| import java.util.Arrays; | ||||
| import java.util.Collections; | ||||
| import java.util.Iterator; | ||||
| import java.util.List; | ||||
| @ -16,6 +17,7 @@ import org.owasp.webgoat.lessons.AbstractLesson; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
|  | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
|  *  | ||||
|  *  | ||||
| @ -59,6 +61,7 @@ public class Course | ||||
|  | ||||
| 	private WebgoatContext webgoatContext; | ||||
|  | ||||
| 	 | ||||
| 	public Course() | ||||
| 	{ | ||||
| 		try | ||||
| @ -71,6 +74,9 @@ public class Course | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	 | ||||
| 	 | ||||
| 	 | ||||
| 	/** | ||||
| 	 * Take an absolute file and return the filename. | ||||
| 	 *  | ||||
| @ -368,6 +374,15 @@ public class Course | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	private String getLanguageFromFileName(String first, String absoluteFile){ | ||||
| 		int p1 = absoluteFile.indexOf("/",absoluteFile.indexOf(first)+1); | ||||
| 		int p2 = absoluteFile.indexOf("/",p1+1); | ||||
| 		String langStr=absoluteFile.substring(p1+1,p2); | ||||
| 		 | ||||
| 		 | ||||
| 		return new String(langStr); | ||||
| 	} | ||||
| 	 | ||||
| 	/** | ||||
| 	 * For each lesson, set the source file and lesson file | ||||
| 	 */ | ||||
| @ -402,7 +417,9 @@ public class Course | ||||
| 					// lesson " + | ||||
| 					// lesson.getClass().getName()); | ||||
| 					// System.out.println("fileName: " + fileName + " == className: " + className ); | ||||
| 					lesson.setLessonPlanFileName(absoluteFile); | ||||
| 					String language = getLanguageFromFileName("/lesson_plans",absoluteFile); | ||||
| 					lesson.setLessonPlanFileName(language, absoluteFile); | ||||
| 					this.webgoatContext.getWebgoatI18N().loadLanguage(language); | ||||
| 				} | ||||
| 				if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") | ||||
| 						&& className.endsWith(fileName)) | ||||
|  | ||||
| @ -23,6 +23,8 @@ import org.owasp.webgoat.lessons.AbstractLesson; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.RandomLessonAdapter; | ||||
| import org.owasp.webgoat.lessons.SequentialLessonAdapter; | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -143,6 +145,8 @@ public class WebSession | ||||
|  | ||||
| 	public final static String DEBUG = "debug"; | ||||
|  | ||||
| 	public final static String LANGUAGE = "language"; | ||||
| 	 | ||||
| 	/** | ||||
| 	 * Description of the Field | ||||
| 	 */ | ||||
| @ -198,6 +202,10 @@ public class WebSession | ||||
|  | ||||
| 	private int currentMenu; | ||||
|  | ||||
| 	private String currentLanguage = null; | ||||
| 	 | ||||
| 	 | ||||
| 	 | ||||
| 	/** | ||||
| 	 * Constructor for the WebSession object | ||||
| 	 *  | ||||
| @ -215,7 +223,9 @@ public class WebSession | ||||
| 		showSource = webgoatContext.isShowSource(); | ||||
| 		showSolution = webgoatContext.isShowSolution(); | ||||
| 		showRequest = webgoatContext.isShowRequest(); | ||||
| 		currentLanguage = webgoatContext.getDefaultLanguage(); | ||||
| 		this.context = context; | ||||
| 		 | ||||
| 		course = new Course(); | ||||
| 		course.loadCourses(webgoatContext, context, "/"); | ||||
| 	} | ||||
| @ -290,6 +300,9 @@ public class WebSession | ||||
| 		return context; | ||||
| 	} | ||||
|  | ||||
| 		 | ||||
| 	 | ||||
| 	 | ||||
| 	public List<String> getRoles() | ||||
| 	{ | ||||
| 		List<String> roles = new ArrayList<String>(); | ||||
| @ -591,20 +604,6 @@ public class WebSession | ||||
| 		return (isAdmin); | ||||
| 	} | ||||
|  | ||||
| 	/**  | ||||
| 	 * Sets the admin flag - this routine is ONLY | ||||
| 	 * here to allow someone a backdoor to setting the | ||||
| 	 * user up as an admin. | ||||
| 	 *  | ||||
| 	 * This is also used by the WebSession to set the admin, but the method | ||||
| 	 * should be private | ||||
| 	 *  | ||||
| 	 * @param state | ||||
| 	 */ | ||||
| 	public void setAdmin(boolean state) | ||||
| 	{ | ||||
| 		isAdmin = state; | ||||
| 	} | ||||
| 	/** | ||||
| 	 * Gets the hackedAdmin attribute of the WebSession object | ||||
| 	 *  | ||||
| @ -728,7 +727,7 @@ public class WebSession | ||||
| 	 */ | ||||
| 	public boolean isUser() | ||||
| 	{ | ||||
| 		return (!isAdmin() && !isChallenge()); | ||||
| 		return (!isAdmin && !isChallenge()); | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| @ -834,6 +833,12 @@ public class WebSession | ||||
| 		{ | ||||
| 			myParser.update(request); | ||||
| 		} | ||||
| 		 | ||||
| 		if(myParser.getRawParameter(LANGUAGE,null)!=null){ | ||||
| 			this.currentLanguage=new String(myParser.getRawParameter(LANGUAGE,null)); | ||||
| 			WebGoatI18N.setCurrentLanguage(this.currentLanguage); | ||||
| 		} | ||||
| 		 | ||||
|  | ||||
| 		// System.out.println("Current Screen 1: " + currentScreen ); | ||||
| 		// System.out.println("Previous Screen 1: " + previousScreen ); | ||||
| @ -965,8 +970,8 @@ public class WebSession | ||||
|  | ||||
| 		} | ||||
|  | ||||
| 		setAdmin(request.isUserInRole(WEBGOAT_ADMIN)); | ||||
| 		isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin()); | ||||
| 		isAdmin = request.isUserInRole(WEBGOAT_ADMIN); | ||||
| 		isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin); | ||||
| 		if (isHackedAdmin) | ||||
| 		{ | ||||
| 			System.out.println("Hacked admin"); | ||||
| @ -1005,10 +1010,7 @@ public class WebSession | ||||
| 		{ | ||||
| 			RandomLessonAdapter rla = (RandomLessonAdapter) al; | ||||
| 			rla.setStage(this, rla.getStages()[0]); | ||||
| 		}  | ||||
| 		else if(al instanceof org.owasp.webgoat.lessons.MaliciousFileExecution) { | ||||
| 			((org.owasp.webgoat.lessons.MaliciousFileExecution) al).restartLesson(this); | ||||
| 		}  | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	/** | ||||
| @ -1093,4 +1095,10 @@ public class WebSession | ||||
| 	{ | ||||
| 		return webgoatContext; | ||||
| 	} | ||||
|  | ||||
| 	public String getCurrrentLanguage() { | ||||
| 		return currentLanguage; | ||||
| 	} | ||||
|  | ||||
| 	 | ||||
| } | ||||
|  | ||||
| @ -4,6 +4,8 @@ package org.owasp.webgoat.session; | ||||
| import java.util.Iterator; | ||||
| import javax.servlet.http.HttpServlet; | ||||
|  | ||||
| import org.owasp.webgoat.util.WebGoatI18N; | ||||
|  | ||||
|  | ||||
| public class WebgoatContext | ||||
| { | ||||
| @ -39,6 +41,8 @@ public class WebgoatContext | ||||
| 	public final static String FEEDBACK_ADDRESS = "email"; | ||||
|  | ||||
| 	public final static String DEBUG = "debug"; | ||||
| 	 | ||||
| 	public final static String DEFAULTLANGUAGE = "DefaultLanguage"; | ||||
|  | ||||
| 	private String databaseConnectionString; | ||||
|  | ||||
| @ -75,6 +79,10 @@ public class WebgoatContext | ||||
| 	private String servletName; | ||||
|  | ||||
| 	private HttpServlet servlet; | ||||
| 	 | ||||
| 	private String defaultLanguage; | ||||
| 	 | ||||
| 	private WebGoatI18N webgoati18n = null; | ||||
|  | ||||
| 	public WebgoatContext(HttpServlet servlet) | ||||
| 	{ | ||||
| @ -100,7 +108,10 @@ public class WebgoatContext | ||||
| 		showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); | ||||
| 		isDebug = "true".equals(getParameter(servlet, DEBUG)); | ||||
| 		servletName = servlet.getServletName(); | ||||
|  | ||||
| 		defaultLanguage = getParameter(servlet,DEFAULTLANGUAGE)!=null ? new String(getParameter(servlet, DEFAULTLANGUAGE)): new String("English"); | ||||
| 		 | ||||
| 		webgoati18n = new WebGoatI18N(this); | ||||
| 		 | ||||
| 	} | ||||
|  | ||||
| 	private String getParameter(HttpServlet servlet, String key) | ||||
| @ -222,4 +233,16 @@ public class WebgoatContext | ||||
| 		return showSolution; | ||||
| 	} | ||||
|  | ||||
| 	public String getDefaultLanguage() { | ||||
| 		return defaultLanguage; | ||||
| 	} | ||||
|  | ||||
| 	public void setWebgoatiI18N(WebGoatI18N webgoati18n) { | ||||
| 		this.webgoati18n = webgoati18n; | ||||
| 	} | ||||
|  | ||||
| 	public WebGoatI18N getWebgoatI18N() { | ||||
| 		return webgoati18n; | ||||
| 	} | ||||
| 	 | ||||
| } | ||||
|  | ||||
| @ -0,0 +1,41 @@ | ||||
| package org.owasp.webgoat.util; | ||||
|  | ||||
| import java.util.HashMap; | ||||
| import java.util.Locale; | ||||
| import java.util.ResourceBundle; | ||||
|  | ||||
| import org.owasp.webgoat.session.WebgoatContext; | ||||
|  | ||||
| public class WebGoatI18N { | ||||
|  | ||||
| 	private static HashMap<String,ResourceBundle> labels= new HashMap<String,ResourceBundle>(); | ||||
| 	private static String defaultLanguage ; | ||||
| 	private static String currentLanguage; | ||||
| 	 | ||||
| 	public WebGoatI18N(WebgoatContext context){ | ||||
| 		Locale l = new Locale(context.getDefaultLanguage()); | ||||
| 		WebGoatI18N.defaultLanguage=context.getDefaultLanguage(); | ||||
| 		labels.put(context.getDefaultLanguage(),ResourceBundle.getBundle("WebGoatLabels",l)); | ||||
| 	} | ||||
| 	 | ||||
| 	public static void loadLanguage(String language){ | ||||
| 		Locale l = new Locale(language); | ||||
| 		labels.put(language, ResourceBundle.getBundle("WebGoatLabels",l)); | ||||
| 	} | ||||
| 	 | ||||
| 	public static void setCurrentLanguage(String language){ | ||||
| 		WebGoatI18N.currentLanguage=language; | ||||
| 	} | ||||
| 	 | ||||
| 	public static String get(String strName) { | ||||
| 		if(labels.containsKey(WebGoatI18N.currentLanguage)){ | ||||
| 			return labels.get(WebGoatI18N.currentLanguage).getString(strName);	 | ||||
| 		} | ||||
| 		else { | ||||
| 			return labels.get(WebGoatI18N.defaultLanguage).getString(strName); | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	 | ||||
| 	 | ||||
| } | ||||
| @ -192,9 +192,9 @@ html>body #navBar li {} | ||||
|  | ||||
| #topRight { | ||||
| 	position:absolute; | ||||
| 	left:715px; | ||||
| 	left:485px; | ||||
| 	top:0px; | ||||
| 	width:75px; | ||||
| 	width:320px; | ||||
| 	height:23px; | ||||
| 	z-index:3; | ||||
| 	float: right; | ||||
|  | ||||
| @ -1,3 +1,10 @@ | ||||
| function changeLanguage(){ | ||||
| 	var select=MM_findObj("language",null); | ||||
| 	 | ||||
| 	document.location="attack?language="+select.value; | ||||
| }	 | ||||
|  | ||||
|  | ||||
| function MM_findObj(n, d) { | ||||
|   var p,i,x;  if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) { | ||||
|     d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);} | ||||
|  | ||||
| @ -6,6 +6,7 @@ | ||||
| Command  injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.<br/> | ||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.<br/> | ||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br/> | ||||
| Try to inject a command to the operating system. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b></p> | ||||
| The user should be able to execute any command on the hosting OS.   | ||||
| @ -2,8 +2,11 @@ | ||||
| <p><b>Lesson Plan Title:</b> How to Exploit Hidden Fields </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| 
 | ||||
| Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field.  This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified  <br> | ||||
| <!-- Stop Instructions --> | ||||
| 
 | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to exploit a hidden field to obtain a product at an incorrect price. | ||||
| <!-- Start Instructions --> | ||||
| Try to purchase the HDTV for less than the purchase price, if you have not done so already. | ||||
| <!-- Stop Instructions --> | ||||
| @ -5,7 +5,8 @@ | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  Developers are notorious for leaving statements like FIXME's, TODO's, Code Broken, Hack, etc... inside the source code.  Review the source code for any comments denoting  passwords, backdoors, or something doesn't work right.  | ||||
|  Below is an example of a forms based authentication form.  Look for clues to help you log in. | ||||
| <!-- Stop Instructions --> | ||||
| <br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
|  The user should be able to bypass the authentication check. | ||||
| The user should be able to bypass the authentication check. | ||||
| @ -2,9 +2,13 @@ | ||||
| <p><b>Lesson Plan Title:</b> How to Bypass Client Side JavaScript Validation </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| 
 | ||||
| Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application. | ||||
| <!-- Stop Instructions --> | ||||
| 
 | ||||
| <br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting. <br> | ||||
| <!-- Start Instructions --> | ||||
| This website performs both client and server side validation.  For this exercise, your job is to break the client side validation and send the  | ||||
|  website input that it wasn't expecting. <b> You must break all 7 validators at the same time. </b> | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,114 +1,114 @@ | ||||
| <!-- Start Instructions --> | ||||
| <h1>How To Configure Tomcat</h1><br><br> | ||||
| <h2>Introduction</h2> | ||||
| <p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations | ||||
| and other possible configurations for Tomcat. This is just  | ||||
| a short description which should be enough in most cases. For more advanced tasks please  | ||||
| refer to the Tomcat documentation. Please note that all solutions | ||||
| are written for the standard configurations on port 80. If you use another port you have  | ||||
| to adjust the solution to your configuration.</p> | ||||
| 
 | ||||
| <h2>The Standard Configurations</h2> | ||||
| <p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost. | ||||
| 	Both are identically with the only difference | ||||
| 	that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have | ||||
| 	to start WebGoat as root or with sudo if you want to run it on port 80 and | ||||
| 	443. | ||||
| 	As running software as root is dangerous we strongly advice to use | ||||
| the port 8080 and 8443. In Windows you can | ||||
| run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you | ||||
| can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these | ||||
| configurations is guest with password guest | ||||
| </p> | ||||
| 
 | ||||
| <h2>Server Configurations</h2> | ||||
| <p> | ||||
| If you are a single user of WebGoat the standard configurations should be | ||||
| enough but if you want to use WebGoat in laboratory or in class there | ||||
| might be the need to change the configurations. Before changing | ||||
| the configurations we recommend doing a backup of the files you change. | ||||
| </p> | ||||
| 
 | ||||
| <h3>Change Ports</h3> | ||||
| <p> | ||||
| To change the ports open the server_80.xml which you find in tomcat/conf and change the  | ||||
| non-SSL port. If you want to use it on port 8079 for example: | ||||
| </p> | ||||
| 
 | ||||
| <pre> | ||||
| 	<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->  | ||||
| 	<Connector address="127.0.0.1" port="8079"... | ||||
| </pre> | ||||
| <p> | ||||
| You can also change the SSL connector to another port of course. | ||||
| In this example to port 8442: | ||||
| </p> | ||||
| <pre> | ||||
| 	<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->  | ||||
| 	<Connector address="127.0.0.1" port="8442"...  | ||||
| <!-- Start Instructions --> | ||||
| <h1>How To Configure Tomcat</h1><br><br> | ||||
| <h2>Introduction</h2> | ||||
| <p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations | ||||
| and other possible configurations for Tomcat. This is just  | ||||
| a short description which should be enough in most cases. For more advanced tasks please  | ||||
| refer to the Tomcat documentation. Please note that all solutions | ||||
| are written for the standard configurations on port 80. If you use another port you have  | ||||
| to adjust the solution to your configuration.</p> | ||||
| 
 | ||||
| <h2>The Standard Configurations</h2> | ||||
| <p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost. | ||||
| 	Both are identically with the only difference | ||||
| 	that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have | ||||
| 	to start WebGoat as root or with sudo if you want to run it on port 80 and | ||||
| 	443. | ||||
| 	As running software as root is dangerous we strongly advice to use | ||||
| the port 8080 and 8443. In Windows you can | ||||
| run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you | ||||
| can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these | ||||
| configurations is guest with password guest | ||||
| </p> | ||||
| 
 | ||||
| <h2>Server Configurations</h2> | ||||
| <p> | ||||
| If you are a single user of WebGoat the standard configurations should be | ||||
| enough but if you want to use WebGoat in laboratory or in class there | ||||
| might be the need to change the configurations. Before changing | ||||
| the configurations we recommend doing a backup of the files you change. | ||||
| </p> | ||||
| 
 | ||||
| <h3>Change Ports</h3> | ||||
| <p> | ||||
| To change the ports open the server_80.xml which you find in tomcat/conf and change the  | ||||
| non-SSL port. If you want to use it on port 8079 for example: | ||||
| </p> | ||||
| 
 | ||||
| <pre> | ||||
| 	<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->  | ||||
| 	<Connector address="127.0.0.1" port="8079"... | ||||
| </pre> | ||||
| <br> | ||||
| 
 | ||||
| <h3>Make WebGoat Reachable From Another Client</h3> | ||||
| <p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS | ||||
| 	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN  | ||||
| SAFE NETWORKS!</p> | ||||
| <p>By its default configurations WebGoat is only | ||||
| reachable within the localhost. In a laboratory or a class | ||||
| there is maybe the need of having a server and a few clients.  | ||||
| In this case it is possible to make WebGoat reachable. | ||||
| </p> | ||||
| <p>The reason why WebGoat is only reachable within the localhost is | ||||
| the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set | ||||
| to 127.0.0.1. The applications only listens on the port of this address for | ||||
| incoming connections if it is set. If you remove this parameter the server listens on all IPs on the | ||||
| specific port.</p> | ||||
| 
 | ||||
| <h3>Permit Only Certain Clients Connection</h3> | ||||
| <p> | ||||
| If you have made WebGoat reachable it is reachable for | ||||
| all clients. If you want to make it reachable only for certain clients specified | ||||
| by there IP you can archive this by using a 'Remote Address Filter'. | ||||
| The filter can be set in a whitebox or blackbox approach. Here is | ||||
| only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml: | ||||
| </p> | ||||
| <pre> | ||||
| 	<Valve className="org.apache.catalina.valves.RemoteAddrValve" | ||||
| 	allow="127.0.0.1,ip1,ip2"/> | ||||
| </pre> | ||||
| <p>In this case only localhost, ip1 and ip2 are permitted to connect.</p> | ||||
| 
 | ||||
| <h2>WebGoat Default Users and Roles for Tomcat</h2> | ||||
| <p> | ||||
| WebGoat requires the following users and roles to be configured in order for the application to run. | ||||
| <br/> | ||||
|   <pre> | ||||
|   >role rolename="webgoat_basic"/< | ||||
|   >role rolename="webgoat_admin"/< | ||||
|   >role rolename="webgoat_user"/< | ||||
|   >user username="webgoat" password="webgoat" roles="webgoat_admin"/< | ||||
|   >user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/< | ||||
|   >user username="guest" password="guest" roles="webgoat_user"/< | ||||
|   </pre> | ||||
| </p> | ||||
| <h2>Adding Users</h2> | ||||
| <p> | ||||
| Usually using WebGoat you just use the user guest with the password guest. | ||||
| But maybe in laboratory you have made a setup with one server and a lot of | ||||
| clients. In this case you might want to have a user for every client | ||||
|  and you have to alter tomcat-users.xml  | ||||
| in tomcat/conf as the users are stored there. <b>We recommend not to use real passwords  | ||||
| as the passwords are stored in plain text in this file!</b> | ||||
| </p> | ||||
| <h3>Add User</h3> | ||||
| <p> | ||||
| Adding a user is straight forward. You can use the guest entry as an example. The added | ||||
| users should have the same role as the guest user. Add lines like this to the file: | ||||
| </p> | ||||
| <pre> | ||||
| 	<user name="student1" password="password1" roles="webgoat_user"/> | ||||
| 	<user name="student2" password="password2" roles="webgoat_user"/> | ||||
| 	... | ||||
| </pre> | ||||
| 
 | ||||
| <p> | ||||
| You can also change the SSL connector to another port of course. | ||||
| In this example to port 8442: | ||||
| </p> | ||||
| <pre> | ||||
| 	<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->  | ||||
| 	<Connector address="127.0.0.1" port="8442"...  | ||||
| </pre> | ||||
| <br> | ||||
| 
 | ||||
| <h3>Make WebGoat Reachable From Another Client</h3> | ||||
| <p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS | ||||
| 	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN  | ||||
| SAFE NETWORKS!</p> | ||||
| <p>By its default configurations WebGoat is only | ||||
| reachable within the localhost. In a laboratory or a class | ||||
| there is maybe the need of having a server and a few clients.  | ||||
| In this case it is possible to make WebGoat reachable. | ||||
| </p> | ||||
| <p>The reason why WebGoat is only reachable within the localhost is | ||||
| the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set | ||||
| to 127.0.0.1. The applications only listens on the port of this address for | ||||
| incoming connections if it is set. If you remove this parameter the server listens on all IPs on the | ||||
| specific port.</p> | ||||
| 
 | ||||
| <h3>Permit Only Certain Clients Connection</h3> | ||||
| <p> | ||||
| If you have made WebGoat reachable it is reachable for | ||||
| all clients. If you want to make it reachable only for certain clients specified | ||||
| by there IP you can archive this by using a 'Remote Address Filter'. | ||||
| The filter can be set in a whitebox or blackbox approach. Here is | ||||
| only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml: | ||||
| </p> | ||||
| <pre> | ||||
| 	<Valve className="org.apache.catalina.valves.RemoteAddrValve" | ||||
| 	allow="127.0.0.1,ip1,ip2"/> | ||||
| </pre> | ||||
| <p>In this case only localhost, ip1 and ip2 are permitted to connect.</p> | ||||
| 
 | ||||
| <h2>WebGoat Default Users and Roles for Tomcat</h2> | ||||
| <p> | ||||
| WebGoat requires the following users and roles to be configured in order for the application to run. | ||||
| <br/> | ||||
|   <pre> | ||||
|   >role rolename="webgoat_basic"/< | ||||
|   >role rolename="webgoat_admin"/< | ||||
|   >role rolename="webgoat_user"/< | ||||
|   >user username="webgoat" password="webgoat" roles="webgoat_admin"/< | ||||
|   >user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/< | ||||
|   >user username="guest" password="guest" roles="webgoat_user"/< | ||||
|   </pre> | ||||
| </p> | ||||
| <h2>Adding Users</h2> | ||||
| <p> | ||||
| Usually using WebGoat you just use the user guest with the password guest. | ||||
| But maybe in laboratory you have made a setup with one server and a lot of | ||||
| clients. In this case you might want to have a user for every client | ||||
|  and you have to alter tomcat-users.xml  | ||||
| in tomcat/conf as the users are stored there. <b>We recommend not to use real passwords  | ||||
| as the passwords are stored in plain text in this file!</b> | ||||
| </p> | ||||
| <h3>Add User</h3> | ||||
| <p> | ||||
| Adding a user is straight forward. You can use the guest entry as an example. The added | ||||
| users should have the same role as the guest user. Add lines like this to the file: | ||||
| </p> | ||||
| <pre> | ||||
| 	<user name="student1" password="password1" roles="webgoat_user"/> | ||||
| 	<user name="student2" password="password2" roles="webgoat_user"/> | ||||
| 	... | ||||
| </pre> | ||||
| 
 | ||||
| <!-- Stop Instructions --> | ||||
| @ -3,8 +3,10 @@ | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| 
 | ||||
| Many applications will automatically log a user into their site if the right authentication cookie is specified.   Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained.  Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability.  Some times the cookies maybe intercepted using Cross site scripting.  This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.<br> | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  The user should be able to bypass the authentication check. | ||||
| Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice. | ||||
| <!-- Stop Instructions --> | ||||
| @ -0,0 +1,15 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lehrplan:</b> Basic Authentication </p> | ||||
| </div> | ||||
| <p><b>Lehrinhalt:</b></p> | ||||
| <!-- Start Instructions --> | ||||
| "Basic Authentication" wird benutzt um Server-seitige Resource zu sch<63>tzen. Wird eine Anfrage an eine gesch<63>tzte Resource gestellt, so sendet der Webserver ein "401 authentication request" mit der Antwort auf diese Anfrage. | ||||
| Dann fragt, auf der Client Seite, der Browser den Benutzer mittels einer Dialogbox nach Benutzername und Passwort f<>r diese Resource. | ||||
| Der Browser enkodiert Benutzername und Passwort mit base64 und sendet diese Zugangsdaten zum Webserver. | ||||
| Daraufhin validiert der Webserver Benutzername und Passwort und gibt als Antwort die angeforderte Resource zur<75>ck falls die <20>bermittelten Zugangsdaten korrekt sind. | ||||
| Die Zugangsdaten werden vom Browser bei jedem weiteren Zugriff auf gesch<63>tzte Resourcen mitgesendet ohne dass der Benutzer | ||||
| sie ein weiteres Mal eingeben muss.<br/>   | ||||
|     <br/> | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b></p> | ||||
| Das Ziel dieser Lektion ist es "Basic Authentication" zu verstehen und die folgenden Fragen zu beantworten.  | ||||
| <!-- Stop Instructions --> | ||||
| @ -0,0 +1,16 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lehrplan:</b> Einschleusen von Programmcode</p> | ||||
|  </div> | ||||
| <p><b>Konzept:</b></p> | ||||
|  | ||||
| Das Einschleusen von Programmcode stellt eine ernst zu nehmende Bedrohung f<>r dynamische Webseiten dar. Entsprechende Angriffe | ||||
| sind leicht zu lernen und der verursachte Schaden ist schwer bzw. entspricht der Kompromittierung des kompletten Systems. | ||||
| Trotz dieses Gefahrenpotentials ist eine unglaubliche Anzahl von Systemen im Internet f<>r diese Form des Angriffs verwundbar. | ||||
| Dieser Angriff ist zwar leicht durchzuf<75>hren, allerdings ist er auch mit ein wenig gesundem Menschenverstand und Vorausdenken  | ||||
| leicht zu verhindern. Die anerkannte Vorgehensweise zur Verhinderung dieser Angriffstypen | ||||
| besteht darin alle Eingabedaten zu s<>ubern, insbesondere die Daten die in Betriebssystembefehlen, | ||||
| Skripten und Datenbankabfragen eingebaut werden. | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b></p> | ||||
| <!-- Start Instructions --> | ||||
| Schleusen Sie einen Befehl in das darunterliegende Betriebssystem ein. | ||||
| <!-- Stop Instructions --> | ||||
| @ -0,0 +1,14 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lehrplan:</b> Versteckte Felder ausnutzen </p> | ||||
| </div> | ||||
| <p><b>Konzept:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Entwickler benutzen versteckte Formularfelder zur Besucherverfolgung, f<>r den Login, f<>r Preisinformationen und andere | ||||
| Informationen. Dies ist ein sehr einfacher und bequemer Mechnismus f<>r Entwickler, allerdings werden die Werte | ||||
| diese Felder nur selten gepr<70>ft bevor sie benutzt werden. In dieser Lektion lernt man wie man versteckte Felder | ||||
| zu seinem Vorteil manipulieren kann. | ||||
|  | ||||
|  <br> | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b> </p> | ||||
| Nutzen Sie ein verstecktes Formularfeld aus, um den HD Fernseher zu einem falschen Preis zu kaufen. | ||||
							
								
								
									
										13
									
								
								main/project/WebContent/lesson_plans/German/HtmlClues.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								main/project/WebContent/lesson_plans/German/HtmlClues.html
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,13 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lehrplan:</b> N<>tzliche Hinweise in HTML entdecken. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Konzept:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  Entwickler lassen oftmals Kommentare wie FIXME's, TODO's, Code Broken, Hack usw. im Quellcode. | ||||
|  Durchsuchen Sie den Quellcode nach allem was f<>r Sie nach Passw<73>rtern, Hintert<72>ren oder anderen Unregelm<6C><6D>igkeiten aussieht. | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| <br> | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b> </p> | ||||
| Sie suchen und finden Hinweise im Quellcode die es Ihnen erlauben sich anzumelden. | ||||
							
								
								
									
										29
									
								
								main/project/WebContent/lesson_plans/German/HttpBasics.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								main/project/WebContent/lesson_plans/German/HttpBasics.html
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,29 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lehrplan:</b> Http Basics </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Lehrinhalt:</b> </p> | ||||
|  Diese Lektion stellt die Verständnis-Grundlagen für den Datentransport zwischen Browser und Webapplikation dar.<br> | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>So funktioniert HTTP:</b> | ||||
| </p> | ||||
| Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem K<>rper. | ||||
| Der Client initiiert eine Transaktion wie folgt:<br> | ||||
| <br> | ||||
|  Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br> | ||||
| </div> | ||||
|   <br> | ||||
| <ul>GET /index.html?param=value HTTP/1.0</ul> | ||||
|  Als nächstes sendet der Client optionale Kopfzeilen (Header) um den Server über die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br> | ||||
|  <br> | ||||
| <ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul> | ||||
| Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet. | ||||
| <br> | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Geben Sie Ihren Namen in das Eingabefeld ein und dr<64>cken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zur<75>ckschicken. Dies stellt eine vollständige HTTP Transaktion dar! | ||||
| <br/><br/> | ||||
| Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Kn<4B>pfe für Hinweise (Hints), für das Anzeigen von Parametern(Parameters) oder Cookies und für das Anzeigen von Java-Quellcode ausprobiert werden. | ||||
| Au<EFBFBD>erdem, können Sie hier WebScarab gut ausprobieren.  | ||||
| <!-- Stop Instructions --> | ||||
| @ -0,0 +1,19 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lehrplan:</b> Client-seitige JavaScript Validierung umgehen</p> | ||||
| </div> | ||||
| <p><b>Konzept:</b> </p> | ||||
|  | ||||
| Client-seitige Validierung sollte nicht als eine sichere Ma<4D>nahme zur Validierung von Parametern angesehen werden. | ||||
| Diese Art der Validierung kann h<>chstens den Server entlasten und verhindern das normale Benutzer Eingabedaten in | ||||
| einem falschen Format absenden. Angreifer hingegen, k<>nnen diesen Mechanismus auf verschiedene Arten umgehen. Jede | ||||
| Client-seitige Validierung sollte auf der Serverseite wiederholt werden. Dies verhindert, dass unsichere Parameter | ||||
| in der Applikation benutzt werden. | ||||
|  | ||||
| <br> | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Das untenstehende Formular verlangt von Ihnen verschiedene Regeln beim Ausf<73>llen einzuhalten. Dies wird Client-seitig | ||||
| <EFBFBD>berpr<EFBFBD>ft. Versuchen Sie diese | ||||
| Regeln zu brechen und senden Sie Daten an die Webseite die die Webseite nicht erwartet! <b> Sie m<>ssen alle 7 Regeln | ||||
| gleichzeitig brechen! </b> | ||||
| <!-- Stop Instructions --> | ||||
							
								
								
									
										17
									
								
								main/project/WebContent/lesson_plans/German/LogSpoofing.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								main/project/WebContent/lesson_plans/German/LogSpoofing.html
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,17 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lehrplan:</b> F<>lschen von Eintr<74>gen in Log Dateien (Log Spoofing) </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Konzept:</b> </p> | ||||
| <p> | ||||
| Log-Eintr<74>ge in Log-Dateien m<>ssen nicht immer von tats<74>chlichen Ereignissen stammen. Ein Angreifer kann durch Einschleusen | ||||
| bestimmter Eintr<74>ge das Eintreten bestimmter Ereignisse vort<72>uschen und dadurch den Administrator zu unn<6E>tigen bzw. voreiligen  | ||||
| Handlungen verleiten bzw. ihn einfach nur verwirren. | ||||
| </p> | ||||
|  | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| * Der graue Bereich steht f<>r das was tats<74>chlich in der Log-Datei des Webservers erscheint.<br> | ||||
| * Ihr Ziel ist es so aussehen zu lassen, als h<>tte sich der Benutzer "admin" erfolgreich eingeloggt.<br/> | ||||
| * Verbessern Sie Ihren Angriff, indem Sie ein Skript (Javascript) in das Log schreiben. | ||||
| <!-- Stop Instructions --> | ||||
| @ -0,0 +1,11 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lehrplan:</b> Umgehen eines Pfad-basierten Zugangskontrollschemas</p> | ||||
| </div> | ||||
| <p><b>Konzept:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| In einem Pfad-basierten Zugangangskontrollschemas (path based access control scheme), kann ein Angreifer den Pfad "bewandern" indem | ||||
| er relative Pfadangaben <20>bergibt. Dadurch kann der Angreifer auf Dateien zugreifen, die f<>r niemanden zug<75>nglich sind, bzw. zu denen | ||||
| der Zugang bei direkter Anfrage ansonsten abgelehnt w<>rde.   | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b> </p> | ||||
| Sie sollten in der Lage sein auf eine Datei zuzugreifen die sich nicht im aufgelisteten Verzeichnis befindet. | ||||
| @ -0,0 +1,19 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lehrplan: </b>Cross Site Scripting (XSS)</p> | ||||
| </div> | ||||
| <p><b>Konzept:</b> </p> | ||||
|  | ||||
| Jegliche Eingabedaten sollten auf der Serverseite <20>berpr<70>ft werden. | ||||
| XSS passiert wenn nicht gepr<70>fte Benutereingaben in eine HTTP Response eingebaut werden. | ||||
| Bei einem reflektierten XSS Angriff, kann ein Angreifer eine URL erzeugen die ein Angriffsskript enth<74>lt und kann diese | ||||
| URL auf einer Webseite hinterlegen, sie per Email verschicken oder ein Opfer auf eine andere Weise dazu bringen die | ||||
| URL zu besuchen. | ||||
|  | ||||
|   | ||||
|  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Ihre Aufgabe ist es, sich ein St<53>ck Javascript zu <20>berlegen das Sie in diese Seite einbauen k<>nnen. | ||||
| Dann versuchen Sie die Seite dazu zu bringen, Ihnen dieses Skript wieder auszulieferen (es zu reflektieren) | ||||
| so dass das Skript in Ihrem Browser ausgef<65>hrt wird.  | ||||
| <!-- Stop Instructions --> | ||||
| @ -0,0 +1,16 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lehrplan: </b>Zugang zu Web-Resourcen erzwingen</p> | ||||
| </div> | ||||
| <p><b>Konzept::</b> </p> | ||||
| Applikationen haben oftmals eine Administrationsschnittstelle, das priviligierten Benutzern Zugang zu Funktionalit<69>t erm<72>glicht die | ||||
| f<EFBFBD>r normale Benutzer nicht sichtbar ist. Der Applikationsserver selbst hat auch oft noch eine seperate Administrationsschnittstelle. | ||||
|  | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b>  | ||||
| <!-- Start Instructions --> | ||||
| Versuchen Sie auf die Administrationsschnittstelle von WebGoat zuzugreifen. Sie k<>nnen auch versuchen auf die Administrationsschnittstelle | ||||
| von Tomcat (der Applikationsserver) zuzugreifen. Die Tomcat Schnittstelle kann <20>ber die URL /admin erreicht werden, z<>hlt aber nicht | ||||
| f<EFBFBD>r das Bestehen dieser Lektion.  | ||||
| Wenn Sie Zugriff auf Funktionalit<69>t der Administrationsschnittstelle erlangt haben, dann kommen Sie hierher zur<75>ck um zu sehen ob Sie | ||||
| die Lektion abgeschlossen haben. | ||||
| <!-- Stop Instructions --> | ||||
| </p> | ||||
| @ -0,0 +1,18 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lehrplan:</b> Durchf<68>hrung von Numeric SQL Injection </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Konzept:</b> </p> | ||||
| SQL Injection Angriffe stellen eine ernstzunehmende Bedrohung f<>r alle Datenbank-getriebenen Webseiten dar. | ||||
| Entsprechende Angriffe sind leicht zu lernen und der verursachte Schaden ist schwer bzw. entspricht der  | ||||
| Kompromittierung des kompletten Systems. | ||||
| Trotz dieses Gefahrenpotentials ist eine unglaubliche Anzahl von Systemen im Internet f<>r diese Form des Angriffs verwundbar. | ||||
| Dieser Angriff ist zwar leicht durchzuf<75>hren, allerdings ist er auch mit ein wenig gesundem Menschenverstand und Vorausdenken  | ||||
| leicht zu verhindern. Die anerkannte Vorgehensweise zur Verhinderung dieser Angriffstypen | ||||
| besteht darin alle Eingabedaten zu s<>ubern, insbesondere die Daten die in Betriebssystembefehlen, | ||||
| Skripten und Datenbankabfragen eingebaut werden. | ||||
| <p><b>Grundsätzliche(s) Ziel(e):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Das untenstehende Formular erm<72>glicht es dem Benutzer Wetterdaten zu betrachten. Versuchen Sie einen SQL String einzuschleusen, der | ||||
| als Resultat alle Wetterdaten anzeigt. | ||||
| <!-- Stop Instructions --> | ||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user