dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

A first attempt at internationalization of WebGoat. For complete internationalization WebGoat needs two things:

Browse Source 
1. Every text passage/label that appears in lessons must independent of the current language set for WebGoat.
2. Every lesson plan and solutions must be translated for each supported language.
Number 1 is achieved by using webgoat/util/WebgoatI18N.java and by having every output routed through this piece of code. You no longer say hints.add("Lesson Hint 1"); or ....addElement("Shopping Cart")) but you in the lesson you say hints.add(WebGoatI18N.get("Lesson Hint1")) or ....addElement(WebGoatI18N.get("Shopping Cart"). Then WebGoatI18N looks up the corresponding string for the language set as the current lanuage and returns it.
Number 2 is achieved by having subdirectories in lesson_plans corresponding to every language. That means, a lesson that has been translated to Spanish and German will be found in lesson_plans/English and lesson_plans/Spanish and lesson_plans/German.

This is how WebGoat finds out about available languages: in Course.java in loadResources() it looks for lesson plans.
Unlike before, now a lesson plan can be found multiple times in different "language" directories. So for every directory the lesson plan is found in, WebGoat associates this language with the lesson and also lets WebGoatI18N load the appropriate WebGoatLabels_$LANGAUGE$.properties file which contains the translations of labels.
So this is what you have to do for a new language:
First of all, you have to copy and translate every lesson plan that you need in the new language, and then you also have to create a WebGoatLabels_$LANGUAGE$.properties file with that labels that will be used in these lessons. Atm WebGoat crashes throws an exception when a label is missing but this can be sorted out quickly. 

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@389 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mjawurek 2009-10-26 15:58:15 +00:00
parent 59abed1dde
commit 1dc6c799a7
104 changed files with 1223 additions and 488 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
main/project/JavaSource/WebGoatLabels_english.properties Normal file
View File

@ -0,0 +1,228 @@
#General
LessonCompleted=Congratulations. You have successfully completed this lesson.
RestartLesson=Restart this Lesson
SolutionVideos=Solution Videos
ErrorGenerating=Error generating
InvalidData=Invalid Data
#HttpBasics.java
EnterYourName=Enter your Name
Go!=Go!
#BasicAuthentication.java
BasicAuthHeaderNameIncorrect=Basic Authentication header name is incorrect.
BasicAuthHeaderValueIncorrect=Basic Authentication header value is incorrect.
BasicAuthenticationWhatIsNameOfHeader=What is the name of the authentication header:
BasicAuthenticationWhatIsDecodedValueOfHeader=What is the decoded value of the authentication header:
Submit=Submit
BasicAuthenticationGreenStars1=Close your browser and login as
BasicAuthenticationGreenStars2= to get your green stars back.
BasicAuthenticationStage1Completed=Congratulations, you have figured out the mechanics of basic authentication.  - Now you must try to make WebGoat reauthenticate you as:     - username: basic     - password: basic. Use the Basic Authentication Menu to start at login page.
BasicAuthenticationAlmostThere1=You're almost there! You've modified the
BasicAuthenticationAlmostThere2= header but you are still logged in as
BasicAuthenticationAlmostThere3=. Look at the request after you typed in the 'basic' user credentials and submitted the request. Remember the order of events that occur during Basic Authentication.
BasicAuthenticationReallyClose=You're really close! Changing the session cookie caused the server to create a new session for you. This did not cause the server to reauthenticate you. When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> &nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>
BasicAuthenticationUseTheHints=Use the hints! One at a time...
BasicAuthenticationHint1=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies.
BasicAuthenticationHint2=Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials.
BasicAuthenticationHint3=Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials.
BasicAuthenticationHint4=Use WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie.
BasicAuthenticationHint5=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies.
BasicAuthenticationHint6=Before the WebServer requests credentials from the client, the current session is checked for validitity.
BasicAuthenticationHint7=If the session is invalid the webserver will use the basic authentication credentials
BasicAuthenticationHint8=If the session is invalid and the basic authentication credentials are invalid, new credentials will be requested from the client.
BasicAuthenticationHint9=Intercept the request and corrupt the JSESSIONID and the Authorization header.
#WeakAuthenticationCookie.java
InvalidCookie=Invalid cookie
IdentityRemembered=Your identity has been remembered
InvalidUsernameAndPassword=Invalid username and password entered.
UserName=User Name
Password=Password
Login=Login
RequiredFields=Required Fields
WeakAuthenticationCookiePleaseSignIn=Please sign in to your account. See the OWASP admin if you do not have an account.
SignIn=Sign in
PasswordForgotten=Goodbye! Your password has been forgotten
WelcomeUser=Welcome,
YouHaveBeenAuthenticatedWith=You have been authenticated with
Logout=Logout
Refresh=Refresh
WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie.
WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password?
WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.
WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names?
#RemoteAdminFlaw.java
RemoteAdminFlawHint1=WebGoat has 2 admin interfaces.
RemoteAdminFlawHint2=WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'
RemoteAdminFlawHint3=WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'
RemoteAdminFlawHint4=Follow the Source!
RemoteAdminFlawHint5=On success you will see new submenu items in the menupoint 'Admin Functions'
#PathBasedAccessControl.java
CurrentDirectory=Current Directory is:
ChooseFileToView=Choose the file to view:
ViewFile=View File
AccessDenied=Access denied
ItAppears1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see one file in this directory.
ItAppears2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see files in the webgoat directory.
CongratsAccessToFileAllowed=Congratulations! Access to file allowed
FileInAllowedDirectory=File is already in allowed directory - try again!
AccessToFileDenied1=Access to file/directory "
AccessToFileDenied2=" denied
FileTooLarge=File is too large
FileBinary=File is binary
TheFollowingError=The following error occurred while accessing the file: <
PathBasedAccessControlInstr1=The '
PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory. Try to break the access control mechanism and access a resource that is not in the listed directory. After selecting a file to view, WebGoat will report if access to the file was granted. An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml
ErrorGenerating=Error generating
ViewingFile=Viewing file:
File=File:
Dir=Dir:
IsFile= - isFile():
Exists= - exists():
PathBasedAccessControlHint1=Most operating systems allow special characters in the path.
PathBasedAccessControlHint2=Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory");
PathBasedAccessControlHint3=Try .. in the path
PathBasedAccessControlHint4=Try ..\\..\\..\\LICENSE
#CommandInjection.java
Command=Command
CommandInjectionRightTrack1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig.
CommandInjectionRightTrack2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. This lesson is a command injection lesson, not access control.
YouAreCurrentlyViewing=You are currently viewing:
SelectFileFromListBelow=select file from list below
SelectLessonPlanToView=Select the lesson plan to view:
View=View
CommandInjectionHint1=The application is using a system command to return the contents of a file.
CommandInjectionHint2=The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)
CommandInjectionHint3=Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix.
CommandInjectionHint4=Note that the server may enclose the submitted file name within quotes
#NumericSqlInjection.java
NumericSqlInjectionSecondStage=Bet you can't do it again! This lesson has detected your successfull attack and has now switched to a defensive mode. Try again to attack a parameterized query.
NoResultsMatched=No results matched. Try Again.
NumericSqlInjectionSecondStage2=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query.
ErrorParsingAsNumber=Error parsing station as a number:
SelectYourStation=Select your local weather station:
SqlNumericInjectionHint1=The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.
SqlNumericInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br>"SELECT * FROM weather_data WHERE station = " + station
SqlNumericInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true.
SqlNumericInjectionHint4=Try to intercept the post request with WebScarab and replace the station with [ 101 OR 1 = 1 ].
#StringSqlInjection.java
StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query.
EnterLastName=Enter your last name:
NoResultsMatched=No results matched. Try Again.
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
#LogSpoofing.java
LoginFailedForUserName=Login failed for username
LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME
LogSpoofingHint1=Try to fool the human eye by using new lines.
LogSpoofingHint2=Use CR (%0d) and LF (%0a) for a new line.
LogSpoofingHint3=Try: Smith%0d%0aLogin Succeeded for username: admin
LogSpoofingHint4=Try: Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;
#StoredXss.java
StoredXssHint1=You can put HTML tags in your message.
StoredXssHint1=Bury a SCRIPT tag in the message to attack anyone who reads it.
StoredXssHint1=Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field.
StoredXssHint1=Enter this: &lt;script&gt;alert(document.cookie);&lt;/script&gt; in the message field.
MessageContentsFor=Message Contents For
Title=Title
PostedBy=Posted by
CouldNotFindMessage=Could not find this message
Message=Message
MessageList=Message List
CouldNotAddMessage=Could not add message to database
ErroGeneratingMessageList=Error while getting message list.
#ReflectedXSS.java
ReflectedXSSWhoops1=Whoops! You entered
ReflectedXSSWhoops2= instead of your three digit code. Please try again.
ShoppingCart=Shopping Cart
ShoppingCartItems=Shopping Cart Items -- To Buy Now
Price=Price
Quantity=Quantity
Total=Total
TotalChargedCreditCard=The total charged to your credit card
UpdateCart=UpdateCart
EnterCreditCard=Enter your credit card number
Enter3DigitCode=Enter your three digit access code
Purchase=Purchase
ReflectedXSSHint1=A simple script is &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.
ReflectedXSSHint2=Can you get the script to disclose the JSESSIONID cookie?
ReflectedXSSHint3=You can use &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; to access the session id cookie
ReflectedXSSHint4=Can you get the script to access the credit card form field?
ReflectedXSSHint5=Try a cross site trace (XST) Command:<br>&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); document.write(str1);}&lt;/script&gt;");
#HtmlClues.java
HtmlCluesBINGO=BINGO -- admin authenticated
HtmlCluesHint1=You can view the HTML source by selecting 'view source' in the browser menu.
HtmlCluesHint2=There are lots of clues in the HTML
HtmlCluesHint3=Search for the word HIDDEN, look at URLs, look for comments.
#JavaScriptValidation.java
3LowerCase=Field1: exactly three lowercase characters
Exactly3Digits=Field2: exactly three digits
LettersNumbersSpaceOnly=Field3: letters, numbers, and space only
EnumerationOfNumbers=Field4: enumeration of numbers
SimpleZipCode=Field5: simple zip code
ZIPDashFour=Field6: zip with optional dash four
USPhoneNumber=Field7: US phone number with or without dashes
ServerSideValidationViolation=Server side validation violation: You succeeded for
JavaScriptValidationHint1=The validation is happening in your browser.
JavaScriptValidationHint2=Try modifying the values with a proxy after they leave your browser
JavaScriptValidationHint3=Another way is to delete the JavaScript before you view the page.
#HiddenFieldTampering.java
TotalPriceIs=Your total price is
ThisAmountCharged=This amount will be charged to your credit card immediately.
HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server.
HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field.
HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
HiddenFieldTamperingHint32= to

208
main/project/JavaSource/WebGoatLabels_german.properties Normal file
View File

@ -0,0 +1,208 @@
#General
LessonCompleted=Herzlichen Glückwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
RestartLesson=Lektion neu beginnen
SolutionVideos=Lösungsvideos
ErrorGenerating=Fehler beim Generieren von
InvalidData=Ungültige Daten
#HttpBasics.java
EnterYourName=Geben Sie Ihren Namen ein
Go!=Los gehts!
#BasicAuthentication.java
BasicAuthHeaderNameIncorrect=Basic Authentication Header Name ist inkorrekt.
BasicAuthHeaderValueIncorrect=Basic Authentication Header Wert ist inkorrekt.
BasicAuthenticationWhatIsNameOfHeader=Was ist der Name des Authentication Header:
BasicAuthenticationWhatIsDecodedValueOfHeader=Was ist der dekodierte Wert des Authentication Header:
Submit=Abschicken
BasicAuthenticationGreenStars1=Schließen Sie Ihren Browser und loggen sich Sich als
BasicAuthenticationGreenStars2= ein um Ihre grünen Sterne wiederzubekommen.
BasicAuthenticationStage1Completed=Herzlichen Glückwunsch, Sie haben die Grundlagen von Basic Authentication verstanden - Jetzt versuchen Sie sich von WebGoat als: username: basic &nbsp;&nbsp;&nbsp;&nbsp;- password: basic authentisieren zu lassen. Benutzen Sie das Basic Authentication Menu um eine Login Seite zu öffnen.
BasicAuthenticationAlmostThere1=Sie Sind fast da! Sie haben den
BasicAuthenticationAlmostThere2= Header manipuliert aber Sie sind immernoch als
BasicAuthenticationAlmostThere3= eingeloggt. Schauen Sie sich den Request an nachdem Sie die 'basic' Authentisierungsdaten eingetippt haben und die Anfrage abgeschickt haben. Halten Sie sich die Reihenfolge der Ereignisse die bei Basic Authentication eintreten vor Augen.
BasicAuthenticationReallyClose=Sie sind sehr nahe dran! Durch das Ändern des Session Cookie haben Sie den Server dazu gebracht eine neue Session für Sie zu erstellen. Dies hat sie allerdings nicht re-authentisiert. Wenn Sie herausgefunden haben wie Sie den Server dazu zwingen können Sie zu re-authentisieren dann authentisieren Sie sich als:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> &nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>
BasicAuthenticationUseTheHints=Benutzen Sie die Hinweise! Einen nach dem anderen...
BasicAuthenticationHint1=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies.
BasicAuthenticationHint2=Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials.
BasicAuthenticationHint3=Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials.
BasicAuthenticationHint4=Use WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie.
BasicAuthenticationHint5=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies.
BasicAuthenticationHint6=Before the WebServer requests credentials from the client, the current session is checked for validitity.
BasicAuthenticationHint7=If the session is invalid the webserver will use the basic authentication credentials
BasicAuthenticationHint8=If the session is invalid and the basic authentication credentials are invalid, new credentials will be requested from the client.
BasicAuthenticationHint9=Intercept the request and corrupt the JSESSIONID and the Authorization header.
#WeakAuthenticationCookie.java
InvalidCookie=Ungültiger Cookie!
IdentityRemembered=Ihre Identität wurde abgespeichert
InvalidUsernameAndPassword=Benutzername und Passwort ungültig.
UserName=Benutzername
Password=Passwort
Login=Anmelden
RequiredFields=*Benötigte Felder
WeakAuthenticationCookiePleaseSignIn=Bitte melden Sie sich an. Kontaktieren Sie den OWASP Administrator wenn Sie keine Anmeldedaten haben.
SignIn=Anmeldung
PasswordForgotten=Auf Wiedersehen! Ihr Passwort wurde vergessen
WelcomeUser=Willkommen,
YouHaveBeenAuthenticatedWith=Sie wurden authentisiert mit
Logout=Abmelden
Refresh=Neu Laden
WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie.
WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password?
WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.
WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names?
#RemoteAdminFlaw.java
RemoteAdminFlawHint1=WebGoat has 2 admin interfaces.
RemoteAdminFlawHint2=WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'
RemoteAdminFlawHint3=WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'
RemoteAdminFlawHint4=Follow the Source!
RemoteAdminFlawHint5=On success you will see new submenu items in the menupoint 'Admin Functions'
#PathBasedAccessControl.java
CurrentDirectory=Das aktuelle Verzeichnis ist:
ChooseFileToView=Wählen Sie die Datei zum Anzeigen:
ViewFile=Datei anzeigen
AccessDenied=Zugang verweigert
ItAppears1=Es scheint als wären Sie auf dem richtigen Weg. Befehle die das Betriebssystem beeinflussen könnten werden ignoriert. Sie dürfen nur eine Datei in diesem Verzeichnis anzeigen.
ItAppears2=Es scheint als wären Sie auf dem richtigen Weg. Befehle die das Betriebssystem beeinflussen könnten werden ignoriert. Sie dürfen nur Dateien im WebGoat Verzeichnis anzeigen.
CongratsAccessToFileAllowed=Herzlichen Glückwunsch! Zugang zur Datei gewährt
FileInAllowedDirectory=Die Datei ist bereits in einem erlaubten Verzeichnis - Versuchen Sie es erneut!
AccessToFileDenied1=Zugang zu Datei/Verzeichnis "
AccessToFileDenied2=" verweigert
FileTooLarge=Datei ist zu groß
FileBinary=Datei hat binär-Inhalt
TheFollowingError=Der folgende Fehler trat auf beim Zugriff auf die Datei: <
PathBasedAccessControlInstr1=Der '
PathBasedAccessControlInstr2=' Benutzer hat Zugriff auf alle Dateien im lesson_plans/English Verzeichnis. Versuchen Sie den Zugangsmechanismus zu brechen indem Sie auf eine Resource zugreifen die nicht im gelisteten Verzeichnis liegt. Nachdem Sie eine Datei ausgewählt haben, wird WebGoat Ihnen sagen ob Sie Zugriff darauf haben. Eine interessante Datei könnte tomcat/conf/tomcat-users.xml sein.
ErrorGenerating=Fehler beim Generieren von
ViewingFile=Anzeige von Datei:
File=Datei:
Dir=Verzeichnis:
IsFile= - isFile() (ist eine Datei):
Exists= - exists() (existiert):
PathBasedAccessControlHint1=Most operating systems allow special characters in the path.
PathBasedAccessControlHint2=Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory");
PathBasedAccessControlHint3=Try .. in the path
PathBasedAccessControlHint4=Try ..\\..\\..\\LICENSE
#CommandInjection.java
Command=Befehl
CommandInjectionRightTrack1=Es scheint, dass Sie auf dem richtigen Weg sind. Befehle die das Betriebssystem kompromittieren können wurden deaktiviert. Die folgenden Befehle sind erlaubt: netstat -a, dir, ls, ifconfig und ipconfig.
CommandInjectionRightTrack2=Es scheint, dass Sie auf dem richtigen Weg sind. Befehle die das Betriebssystem kompromittieren können wurden deaktiviert. In dieser Lektion geht es um das Einschleusen von Befehlen, nicht um Zugangskontrolle.
YouAreCurrentlyViewing=Sie betrachten gerade:
SelectFileFromListBelow=wählen Sie eine Datei aus der Liste
SelectLessonPlanToView=Wählen Sie die zu betrachtende Lektion aus:
View=Anzeigen
CommandInjectionHint1=The application is using a system command to return the contents of a file.
CommandInjectionHint2=The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)
CommandInjectionHint3=Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix.
CommandInjectionHint4=Note that the server may enclose the submitted file name within quotes
#NumericSqlInjection.java
SecondStage=Ich wette das können Sie nicht wiederholen. Diese Lektion hat nun in einen defensiven Modus gewechselt. Versuchen Sie nun eine parametrisierte Anfrage anzugreifen.
NoResultsMatched=Keine Resultate gefunden. Versuchen Sie es erneut.
SecondStage2=Da sie nun erfolgreich eine SQL Injection durchgeführt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage.
ErrorParsingAsNumber=Fehler beim interpretieren der Wetterstationsnummer als Zahl:
SelectYourStation=Wählen Sie Ihre lokale Wetterstation aus:
SqlNumericInjectionHint1=The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.
SqlNumericInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br>"SELECT * FROM weather_data WHERE station = " + station
SqlNumericInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true.
SqlNumericInjectionHint4=Try to intercept the post request with WebScarab and replace the station with [ 101 OR 1 = 1 ].
#StringSqlInjection.java
StringSqlInjectionSecondStage=Da sie nun erfolgreich eine SQL Injection durchgeführt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. Starten Sie Diese Lektion neu, wenn Sie zur verwundbaren SQL Anfrage gelangen möchten.
EnterLastName=Geben Sie Ihren Nachnamen ein:
NoResultsMatched=Keine Resultate gefunden, versuchen Sie es erneut
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
#LogSpoofing.java
LoginFailedForUserName=Login failed for username
LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME
LogSpoofingHint1=Versuchen Sie das menschliche Auge durch Einfügen von weiteren Zeilen zu verwirren
LogSpoofingHint2=Benutzen Sie CR (%0d) und LF (%0a) für eine neue Zeile.
LogSpoofingHint3=Versuchen Sie: Smith%0d%0aLogin Succeeded for username: admin
LogSpoofingHint4=Versuchen Sie: Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;
#StoredXss.java
StoredXssHint1=Sie können HTML tags in Ihre Nachricht einbauen.
StoredXssHint1=Bauen Sie ein SCRIPT tag in Ihre Nachricht ein um jeden Anzugreifen der sie liest
StoredXssHint1=Geben Sie: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in das Nachrichtenfeld ein.
StoredXssHint1=Geben Sie: &lt;script&gt;alert(document.cookie);&lt;/script&gt; in das Nachrichtenfeld ein.
MessageContentsFor=Nachrichteninhalt für
Title=Titel
PostedBy=Geschrieben von
CouldNotFindMessage=Konnte diese Nachricht nicht finden
Message=Nachricht
MessageList=Nachrichtenliste
CouldNotAddMessage=Could not add message to database
ErroGeneratingMessageList=Error while getting message list.
#ReflectedXSS.java
ReflectedXSSWhoops1=Ups! Sie haben
ReflectedXSSWhoops2= anstatt des drei stelligen Codes eingegeben. Bitte versuchen Sie es erneut.
ShoppingCart=Warenkorb
ShoppingCartItems=Inhalt des Warenkorbs -- Jetzt kaufen
Price=Preis
Quantity=Menge
Total=Gesamt
TotalChargedCreditCard=Der Gesamtbetrag, mit dem Ihre Kreditkarte belastet wird
UpdateCart=Warenkorb aktualisieren
EnterCreditCard=Geben Sie Ihre Kreditkartennummern ein
Enter3DigitCode=Geben Sie Ihren 3-stelligen Sicherheitscode ein
Purchase=Kaufen
ReflectedXSSHint1=Ein einfaches Skript ist &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.
ReflectedXSSHint2=Können Sie das Skript dazu bringen den JSESSIONID Cookie zu veröffentlichen?
ReflectedXSSHint3=Sie können &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; benutzen um an den Session ID Cookie zu kommen
ReflectedXSSHint4=Können Sie das Skript so gestalten, dass es an den Inhalt des Kreditkartenfeldes kommt?
ReflectedXSSHint5=Versuchen Sie einen cross site trace (XST) Befehl:<br>&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); document.write(str1);}&lt;/script&gt;");
#HtmlClues.java
HtmlCluesBINGO=BINGO -- admin authentisiert
HtmlCluesHint1=Sie können Sich den HTML Quellcode anschauen indem Sie "View Source" im Browser anklicken.
HtmlCluesHint2=Es gibt viele Hinweise in HTML
HtmlCluesHint3=Suchen Sie nach den Worten HIDDEN, schauen Sie sich URLs an und suchen Sie nach Kommentaren.
#JavaScriptValidation.java
3LowerCase=Feld1: genau drei kleine Buchstaben
Exactly3Digits=Feld2: genau drei Ziffern
LettersNumbersSpaceOnly=Feld3: Buchstaben, Ziffern und Leerzeichen
EnumerationOfNumbers=Feld4: ausgeschriebene Ziffern
SimpleZipCode=Feld5: Einfach Postleitzahlen (5 stellige Zahl)
ZIPDashFour=Feld6: Postleitzahlen mit optionalem Bindestrich und 4 stelliger Zahl
USPhoneNumber=Feld7: Telefonnummer in den USA, mit oder ohne Bindestriche
ServerSideValidationViolation=Server-seitige Validierungsverstoß: Sie waren erfolgreich für
JavaScriptValidationHint1=Die Validierung findet in Ihrem Browser statt.
JavaScriptValidationHint2=Versuchen Sie den Wert zu verändern nachdem er Ihren Browser verlassen hat.
JavaScriptValidationHint3=Sie können aber auch JavaScript abschalten, bevor Sie sich die Seite anschauen.
#HiddenFieldTampering.java
TotalPriceIs=Der Gesamtpreis ist
ThisAmountCharged=Ihre Kreditkarte wird sofort mit dem Betrag belastet
HiddenFieldTamperingHint1=Die Applikation nutzt ein verstecktes Feld um Preisinformationen an den Server zu übertragen.
HiddenFieldTamperingHint2=Benutzen Sie ein Programm um den Wert des versteckten Feldes abzufangen und zu verändern.
HiddenFieldTamperingHint3=Benutzen Sie <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> um den Preis des Fernsehers auf einen anderen Wert einzustellen.
HiddenFieldTamperingHint32= bis

48
main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -10,7 +10,11 @@ import java.net.URL;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.Statement; import java.sql.Statement;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
@ -26,6 +30,8 @@ import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext; import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties; import org.owasp.webgoat.session.WebgoatProperties;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -95,12 +101,16 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
private String sourceFileName; private String sourceFileName;
private String lessonPlanFileName; private Map<String,String> lessonPlanFileName = new HashMap<String,String>();
private String lessonSolutionFileName; private String lessonSolutionFileName;
private WebgoatContext webgoatContext; private WebgoatContext webgoatContext;
private LinkedList<String> availableLanguages = new LinkedList<String>();
private String defaultLanguage = "English";
/** /**
* Constructor for the Lesson object * Constructor for the Lesson object
*/ */
@ -392,22 +402,29 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/ */
public String getLessonPlan(WebSession s) public String getLessonPlan(WebSession s)
{ {
String src = null; StringBuffer src = new StringBuffer();
String lang = s.getCurrrentLanguage();
try try
{ {
// System.out.println("Loading lesson plan file: " + // System.out.println("Loading lesson plan file: " +
// getLessonPlanFileName()); // getLessonPlanFileName());
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonPlanFileName()))), false); String filename = getLessonPlanFileName(lang);
if(filename==null){
filename = getLessonPlanFileName(getDefaultLanguage());
}
src.append(readFromFile(new BufferedReader(new FileReader(s.getWebResource(filename))), false));
} catch (Exception e) } catch (Exception e)
{ {
// s.setMessage( "Could not find lesson plan for " + // s.setMessage( "Could not find lesson plan for " +
// getLessonName()); // getLessonName());
src = ("Could not find lesson plan for: " + getLessonName()); src = new StringBuffer("Could not find lesson plan for: " + getLessonName()+" and language "+lang);
} }
return src; return src.toString();
} }
/** /**
@ -774,14 +791,25 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return getTitle(); return getTitle();
} }
public String getLessonPlanFileName() public String getDefaultLanguage(){
{ return this.defaultLanguage;
return lessonPlanFileName;
} }
public void setLessonPlanFileName(String lessonPlanFileName) public String getLessonPlanFileName(String lang)
{ {
this.lessonPlanFileName = lessonPlanFileName; String ret = lessonPlanFileName.get(lang);
if(ret==null) ret = lessonPlanFileName.get(getDefaultLanguage());
return ret;
}
public void setLessonPlanFileName(String lang, String lessonPlanFileName)
{
this.lessonPlanFileName.put(lang,lessonPlanFileName);
this.availableLanguages.add(lang);
}
public List<String> getAvailableLanguages(){
return this.availableLanguages;
} }
public String getLessonSolutionFileName() public String getLessonSolutionFileName()

62
main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
View File

@ -13,6 +13,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -101,12 +102,12 @@ public class BasicAuthentication extends SequentialLessonAdapter
{ {
if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION)) if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION))
{ {
s.setMessage("Basic Authentication header name is incorrect."); s.setMessage(WebGoatI18N.get("BasicAuthHeaderNameIncorrect"));
} }
if (headerValue.length() > 0 if (headerValue.length() > 0
&& !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat"))) && !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat")))
{ {
s.setMessage("Basic Authentication header value is incorrect."); s.setMessage(WebGoatI18N.get("BasicAuthHeaderValueIncorrect"));
} }
} }
@ -120,8 +121,8 @@ public class BasicAuthentication extends SequentialLessonAdapter
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new StringElement("What is the name of the authentication header: "))); row1.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsNameOfHeader"))));
row2.addElement(new TD(new StringElement("What is the decoded value of the authentication header: "))); row2.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsDecodedValueOfHeader"))));
row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString()))); row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString())));
row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString()))); row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString())));
@ -132,7 +133,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
ec.addElement(t); ec.addElement(t);
ec.addElement(new P()); ec.addElement(new P());
Element b = ECSFactory.makeButton("Submit"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit"));
ec.addElement(b); ec.addElement(b);
} catch (Exception e) } catch (Exception e)
@ -158,7 +159,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
getLessonTracker(s, originalUser).setStage(1); getLessonTracker(s, originalUser).setStage(1);
getLessonTracker(s, originalUser).store(s, this); getLessonTracker(s, originalUser).store(s, this);
makeSuccess(s); makeSuccess(s);
s.setMessage("Close your browser and login as " + originalUser + " to get your green stars back."); s.setMessage(WebGoatI18N.get("BasicAuthenticiationGreenStars1")+ originalUser + WebGoatI18N.get("BasicAuthenticationGreenStars2"));
return ec; return ec;
} }
else else
@ -184,11 +185,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
getLessonTracker(s, BASIC).store(s, this, BASIC); getLessonTracker(s, BASIC).store(s, this, BASIC);
} }
s.setMessage("Congratulations, you have figured out the mechanics of basic authentication."); s.setMessage(WebGoatI18N.get("BasicAuthenticationStage1Completed"));
s.setMessage("&nbsp;&nbsp;- Now you must try to make WebGoat reauthenticate you as: ");
s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- username: basic");
s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- password: basic");
s.setMessage("Use the Basic Authentication Menu to start at login page.");
// If the auth header is different but still the original user - tell the user // If the auth header is different but still the original user - tell the user
// that the original cookie was posted bak and basic auth uses the cookie before the // that the original cookie was posted bak and basic auth uses the cookie before the
@ -196,32 +193,28 @@ public class BasicAuthentication extends SequentialLessonAdapter
if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION))) if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION)))
{ {
ec ec
.addElement("You're almost there! You've modified the " .addElement(WebGoatI18N.get("BasicAuthenticationAlmostThere1")
+ AUTHORIZATION + AUTHORIZATION
+ " header but you are " + WebGoatI18N.get("BasicAuthenticationAlmostThere2")
+ "still logged in as "
+ s.getUserName() + s.getUserName()
+ ". Look at the request after you typed in the 'basic' " + WebGoatI18N.get("BasicAuthenticationAlmostThere3"));
+ "user credentials and submitted the request. Remember the order of events that occur during Basic Authentication.");
} }
else if (!originalSessionId.equals(s.getCookie(JSESSIONID))) else if (!originalSessionId.equals(s.getCookie(JSESSIONID)))
{ {
ec ec
.addElement("You're really close! Changing the session cookie caused the server to create a new session for you. This did not cause the server to reauthenticate you. " .addElement(WebGoatI18N.get("BasicAuthenticationReallyClose"));
+ "When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>"
+ "&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> "
+ "&nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>");
} }
else else
{ {
ec.addElement("Use the hints! One at a time..."); ec.addElement(WebGoatI18N.get("BasicAuthenticationUseTheHints"));
} }
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -252,22 +245,19 @@ public class BasicAuthentication extends SequentialLessonAdapter
// switch ( stage ) // switch ( stage )
// { // {
// case 1: // case 1:
hints.add("Basic authentication uses a cookie to pass the credentials. " hints.add(WebGoatI18N.get("BasicAuthenticationHint1"));
+ "Use a proxy to intercept the request. Look at the cookies."); hints.add(WebGoatI18N.get("BasicAuthenticationHint2"));
hints.add("Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials."); hints.add(WebGoatI18N.get("BasicAuthenticationHint3"));
hints.add("Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials."); hints.add(WebGoatI18N.get("BasicAuthenticationHint4"));
hints.add("Use WebScarab -> Tools -> Transcoder to Base64 decode the "
+ "the value in the Authorization cookie.");
// break; // break;
// case 2: // case 2:
hints.add("Basic authentication uses a cookie to pass the credentials. " hints.add(WebGoatI18N.get("BasicAuthenticationHint5"));
+ "Use a proxy to intercept the request. Look at the cookies."); hints.add(WebGoatI18N.get("BasicAuthenticationHint6"));
hints.add("Before the WebServer requests credentials from the client, the current " hints.add(WebGoatI18N.get("BasicAuthenticationHint7"));
+ "session is checked for validitity."); hints.add(WebGoatI18N.get("BasicAuthenticationHint8"));
hints.add("If the session is invalid the webserver will use the basic authentication credentials"); hints.add(WebGoatI18N.get("BasicAuthenticationHint9"));
hints.add("If the session is invalid and the basic authentication credentials are invalid, "
+ "new credentials will be requested from the client.");
hints.add("Intercept the request and corrupt the JSESSIONID and the Authorization header.");
// break; // break;
// } // }

43
main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
View File

@ -16,6 +16,7 @@ import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.Exec; import org.owasp.webgoat.util.Exec;
import org.owasp.webgoat.util.ExecResults; import org.owasp.webgoat.util.ExecResults;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -78,7 +79,7 @@ public class CommandInjection extends LessonAdapter
} }
index = index + 1; index = index + 1;
int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote
System.out.println("Command = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]"); System.out.println(WebGoatI18N.get("Command")+" = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]");
if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase() if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase()
.equals("netstat -a") .equals("netstat -a")
|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir") || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir")
@ -96,9 +97,8 @@ public class CommandInjection extends LessonAdapter
} }
else else
{ {
s.setMessage("It appears that you are on the right track. " s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack1"));
+ "Commands that may compromise the operating system have been disabled. "
+ "The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig");
} }
} }
@ -114,9 +114,7 @@ public class CommandInjection extends LessonAdapter
} }
else else
{ {
s.setMessage("It appears that you are on the right track. " s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack2"));
+ "Commands that may compromise the operating system have been disabled. "
+ "This lesson is a command injection lesson, not access control.");
} }
} }
else else
@ -125,10 +123,10 @@ public class CommandInjection extends LessonAdapter
illegalCommand = false; illegalCommand = false;
} }
} }
File safeDir = new File(s.getContext().getRealPath("/lesson_plans")); File safeDir = new File(s.getContext().getRealPath("/lesson_plans/English"));
ec.addElement(new StringElement("You are currently viewing: <b>" ec.addElement(new StringElement(WebGoatI18N.get("YouAreCurrentlyViewing")+"<b>"
+ (helpFile.toString().length() == 0 ? "&lt;select file from list below&gt;" : helpFile.toString()) + (helpFile.toString().length() == 0 ? "&lt;"+WebGoatI18N.get("SelectFileFromListBelow")+"&gt;" : helpFile.toString())
+ "</b>")); + "</b>"));
if (!illegalCommand) if (!illegalCommand)
@ -153,11 +151,11 @@ public class CommandInjection extends LessonAdapter
fileData = exec(s, cmd2); fileData = exec(s, cmd2);
} }
ec.addElement(new P().addElement("Select the lesson plan to view: ")); ec.addElement(new P().addElement(WebGoatI18N.get("SelectLessonPlanToView")));
ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html", ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html",
"\\.help")))); "\\.help"))));
// ec.addElement( results ); // ec.addElement( results );
Element b = ECSFactory.makeButton("View"); Element b = ECSFactory.makeButton(WebGoatI18N.get("View"));
ec.addElement(b); ec.addElement(b);
// Strip out some of the extra html from the "help" file // Strip out some of the extra html from the "help" file
ec.addElement(new BR()); ec.addElement(new BR());
@ -272,27 +270,14 @@ public class CommandInjection extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("The application is using a system command to return the contents of a file."); hints.add(WebGoatI18N.get("CommandInjectionHint1"));
hints hints.add(WebGoatI18N.get("CommandInjectionHint2"));
.add("The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)"); hints.add(WebGoatI18N.get("CommandInjectionHint3"));
hints.add("Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix."); hints.add(WebGoatI18N.get("CommandInjectionHint4"));
hints.add("Note that the server may enclose the submitted file name within quotes");
return hints; return hints;
} }
/**
* Gets the instructions attribute of the ParameterInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Choose the lesson plan you would like to view. "
+ "Try to inject a command to the operating system.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(40); private final static Integer DEFAULT_RANKING = new Integer(40);

42
main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -22,6 +22,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -106,7 +107,7 @@ public class HiddenFieldTampering extends LessonAdapter
total = quantity * Float.parseFloat(price); total = quantity * Float.parseFloat(price);
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Invaild data " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("Invaild data") + this.getClass().getName());
price = PRICE_TV; price = PRICE_TV;
quantity = 1.0f; quantity = 1.0f;
total = quantity * Float.parseFloat(PRICE_TV); total = quantity * Float.parseFloat(PRICE_TV);
@ -115,7 +116,7 @@ public class HiddenFieldTampering extends LessonAdapter
if (price.equals(PRICE_TV)) if (price.equals(PRICE_TV))
{ {
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart "))); ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart"))));
ec.addElement(new BR()); ec.addElement(new BR());
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
@ -125,10 +126,10 @@ public class HiddenFieldTampering extends LessonAdapter
} }
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%")); tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%"));
tr.addElement(new TH().addElement("Price").setWidth("10%")); tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%")); tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%")); tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -149,10 +150,10 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new BR()); ec.addElement(new BR());
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:")); tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":"));
tr.addElement(new TD().addElement(money.format(total))); tr.addElement(new TD().addElement(money.format(total)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart"))); tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart"))));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()"))); tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("Purchase"), "validate()")));
t.addElement(tr); t.addElement(tr);
ec.addElement(t); ec.addElement(t);
@ -169,10 +170,10 @@ public class HiddenFieldTampering extends LessonAdapter
makeSuccess(s); makeSuccess(s);
} }
ec.addElement(new P().addElement("Your total price is:")); ec.addElement(new P().addElement(WebGoatI18N.get("TotalPriceIs")+":"));
ec.addElement(new B("$" + total)); ec.addElement(new B("$" + total));
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new P().addElement("This amount will be charged to your credit card immediately.")); ec.addElement(new P().addElement(WebGoatI18N.get("ThisAmountCharged")));
} }
return (ec); return (ec);
@ -196,26 +197,15 @@ public class HiddenFieldTampering extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("This application is using hidden fields to transmit price information to the server.");
hints.add("Use a program to intercept and change the value in the hidden field."); hints.add(WebGoatI18N.get("HiddenFieldTamperingHint1"));
hints hints.add(WebGoatI18N.get("HiddenFieldTamperingHint2"));
.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from " hints.add(WebGoatI18N.get("HiddenFieldTamperingHint3")+ PRICE_TV +WebGoatI18N.get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED );
+ PRICE_TV + " to " + PRICE_TV_HACKED + ".");
return hints; return hints;
} }
/**
* Gets the instructions attribute of the HiddenFieldTampering object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(50); private final static Integer DEFAULT_RANKING = new Integer(50);

33
main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java
View File

@ -19,6 +19,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -107,7 +108,7 @@ public class HtmlClues extends LessonAdapter
{ {
makeSuccess(s); makeSuccess(s);
s.setMessage("BINGO -- admin authenticated"); s.setMessage(WebGoatI18N.get("HtmlCluesBINGO"));
ec.addElement(makeUser(s, "admin", "CREDENTIALS")); ec.addElement(makeUser(s, "admin", "CREDENTIALS"));
} }
else else
@ -138,8 +139,8 @@ public class HtmlClues extends LessonAdapter
protected Element makeUser(WebSession s, String user, String method) throws Exception protected Element makeUser(WebSession s, String user, String method) throws Exception
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Welcome, " + user)); ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser")+ user));
ec.addElement(new P().addElement("You have been authenticated with " + method)); ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method));
return (ec); return (ec);
} }
@ -158,12 +159,12 @@ public class HtmlClues extends LessonAdapter
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH() tr.addElement(new TH()
.addElement("Please sign in to your account. See the OWASP admin if you do not have an account.") .addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left")); .setColSpan(2).setAlign("left"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%")); tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -172,8 +173,8 @@ public class HtmlClues extends LessonAdapter
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: ")))); row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")+": "))));
row2.addElement(new TD(new B(new StringElement("*Password: ")))); row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")+": "))));
Input input1 = new Input(Input.TEXT, USERNAME, ""); Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
@ -182,7 +183,7 @@ public class HtmlClues extends LessonAdapter
t.addElement(row1); t.addElement(row1);
t.addElement(row2); t.addElement(row2);
Element b = ECSFactory.makeButton("Login"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
t.addElement(new TR(new TD(b))); t.addElement(new TR(new TD(b)));
ec.addElement(t); ec.addElement(t);
@ -197,24 +198,14 @@ public class HtmlClues extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("You can view the HTML source by selecting 'view source' in the browser menu."); hints.add(WebGoatI18N.get("HtmlCluesHint1"));
hints.add("There are lots of clues in the HTML"); hints.add(WebGoatI18N.get("HtmlCluesHint2"));
hints.add("Search for the word HIDDEN, look at URLs, look for comments."); hints.add(WebGoatI18N.get("HtmlCluesHint3"));
return hints; return hints;
} }
/**
* Gets the instructions attribute of the HtmlClues object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Below is an example of a forms based authentication form. Look for clues to help you log in.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(30); private final static Integer DEFAULT_RANKING = new Integer(30);

5
main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -9,6 +9,7 @@ import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -59,7 +60,7 @@ public class HttpBasics extends LessonAdapter
StringBuffer person = null; StringBuffer person = null;
try try
{ {
ec.addElement(new StringElement("Enter your name: ")); ec.addElement(new StringElement(WebGoatI18N.get("EnterYourName")+": "));
person = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
person.reverse(); person.reverse();
@ -67,7 +68,7 @@ public class HttpBasics extends LessonAdapter
Input input = new Input(Input.TEXT, PERSON, person.toString()); Input input = new Input(Input.TEXT, PERSON, person.toString());
ec.addElement(input); ec.addElement(input);
Element b = ECSFactory.makeButton("Go!"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b); ec.addElement(b);
} catch (Exception e) } catch (Exception e)
{ {

50
main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java
View File

@ -14,6 +14,7 @@ import org.apache.ecs.html.Input;
import org.apache.ecs.html.P; import org.apache.ecs.html.P;
import org.apache.ecs.html.TextArea; import org.apache.ecs.html.TextArea;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -124,28 +125,28 @@ public class JavaScriptValidation extends LessonAdapter
b.setType(Input.BUTTON); b.setType(Input.BUTTON);
b.setValue("Submit"); b.setValue("Submit");
b.addAttribute("onclick", "validate();"); b.addAttribute("onclick", "validate();");
ec.addElement(new Div().addElement(new StringElement("Field1: exactly three lowercase characters (" ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("3LowerCase")+"("
+ regex1 + ")"))); + regex1 + ")")));
ec.addElement(new Div().addElement(input1)); ec.addElement(new Div().addElement(input1));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field2: exactly three digits (" + regex2 + ")"))); ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("Exactly3Digits")+"(" + regex2 + ")")));
ec.addElement(new Div().addElement(input2)); ec.addElement(new Div().addElement(input2));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field3: letters, numbers, and space only (" + regex3 ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("LettersNumbersSpaceOnly")+"(" + regex3
+ ")"))); + ")")));
ec.addElement(new Div().addElement(input3)); ec.addElement(new Div().addElement(input3));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field4: enumeration of numbers (" + regex4 + ")"))); ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("EnumerationOfNumbers")+" (" + regex4 + ")")));
ec.addElement(new Div().addElement(input4)); ec.addElement(new Div().addElement(input4));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field5: simple zip code (" + regex5 + ")"))); ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("SimpleZipCode")+ " (" + regex5 + ")")));
ec.addElement(new Div().addElement(input5)); ec.addElement(new Div().addElement(input5));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div() ec.addElement(new Div()
.addElement(new StringElement("Field6: zip with optional dash four (" + regex6 + ")"))); .addElement(new StringElement(WebGoatI18N.get("ZIPDashFour")+" (" + regex6 + ")")));
ec.addElement(new Div().addElement(input6)); ec.addElement(new Div().addElement(input6));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field7: US phone number with or without dashes (" ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("USPhoneNumber")+ " ("
+ regex7 + ")"))); + regex7 + ")")));
ec.addElement(new Div().addElement(input7)); ec.addElement(new Div().addElement(input7));
ec.addElement(new P()); ec.addElement(new P());
@ -160,43 +161,43 @@ public class JavaScriptValidation extends LessonAdapter
if (!pattern1.matcher(param1).matches()) if (!pattern1.matcher(param1).matches())
{ {
err++; err++;
msg += "<BR>Server side validation violation: You succeeded for Field1."; msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field1.";
} }
if (!pattern2.matcher(param2).matches()) if (!pattern2.matcher(param2).matches())
{ {
err++; err++;
msg += "<BR>Server side validation violation: You succeeded for Field2."; msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field2.";
} }
if (!pattern3.matcher(param3).matches()) if (!pattern3.matcher(param3).matches())
{ {
err++; err++;
msg += "<BR>Server side validation violation: You succeeded for Field3."; msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field3.";
} }
if (!pattern4.matcher(param4).matches()) if (!pattern4.matcher(param4).matches())
{ {
err++; err++;
msg += "<BR>Server side validation violation: You succeeded for Field4."; msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field4.";
} }
if (!pattern5.matcher(param5).matches()) if (!pattern5.matcher(param5).matches())
{ {
err++; err++;
msg += "<BR>Server side validation violation: You succeeded for Field5."; msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field5.";
} }
if (!pattern6.matcher(param6).matches()) if (!pattern6.matcher(param6).matches())
{ {
err++; err++;
msg += "<BR>Server side validation violation: You succeeded for Field6."; msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field6.";
} }
if (!pattern7.matcher(param7).matches()) if (!pattern7.matcher(param7).matches())
{ {
err++; err++;
msg += "<BR>Server side validation violation: You succeeded for Field7."; msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field7.";
} }
if (err > 0) if (err > 0)
@ -212,7 +213,7 @@ public class JavaScriptValidation extends LessonAdapter
catch (Exception e) catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -237,27 +238,14 @@ public class JavaScriptValidation extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("JavaScriptValidationHint1"));
hints.add(WebGoatI18N.get("JavaScriptValidationHint2"));
hints.add(WebGoatI18N.get("JavaScriptValidationHint3"));
hints.add("The validation is happening in your browser.");
hints.add("Try modifying the values with a proxy after they leave your browser");
hints.add("Another way is to delete the JavaScript before you view the page.");
return hints; return hints;
} }
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "This website performs both client and server side validation. "
+ "For this exercise, your job is to break the client side validation and send the "
+ " website input that it wasn't expecting."
+ "<b> You must break all 7 validators at the same time. </b>";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(120); private final static Integer DEFAULT_RANKING = new Integer(120);

6
main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -16,6 +16,7 @@ import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -165,9 +166,10 @@ public abstract class LessonAdapter extends AbstractLesson
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
StringBuffer buff = new StringBuffer(); StringBuffer buff = new StringBuffer();
String lang = s.getCurrrentLanguage();
try try
{ {
String fileName = s.getWebResource(getLessonPlanFileName()); String fileName = s.getWebResource(getLessonPlanFileName(lang));
if (fileName != null) if (fileName != null)
{ {
BufferedReader in = new BufferedReader(new FileReader(fileName)); BufferedReader in = new BufferedReader(new FileReader(fileName));
@ -241,7 +243,7 @@ public abstract class LessonAdapter extends AbstractLesson
{ {
getLessonTracker(s).setCompleted(true); getLessonTracker(s).setCompleted(true);
s.setMessage("Congratulations. You have successfully completed this lesson."); s.setMessage(WebGoatI18N.get("LessonCompleted"));
return (null); return (null);
} }

21
main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
View File

@ -17,6 +17,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -73,15 +74,15 @@ public class LogSpoofing extends LessonAdapter
TR row2 = new TR(); TR row2 = new TR();
TR row3 = new TR(); TR row3 = new TR();
row1.addElement(new TD(new StringElement("Username: "))); row1.addElement(new TD(new StringElement(WebGoatI18N.get("UserName")+":")));
Input username = new Input(Input.TEXT, USERNAME, ""); Input username = new Input(Input.TEXT, USERNAME, "");
row1.addElement(new TD(username)); row1.addElement(new TD(username));
row2.addElement(new TD(new StringElement("Password: "))); row2.addElement(new TD(new StringElement(WebGoatI18N.get("Password")+": ")));
Input password = new Input(Input.PASSWORD, PASSWORD, ""); Input password = new Input(Input.PASSWORD, PASSWORD, "");
row2.addElement(new TD(password)); row2.addElement(new TD(password));
Element b = ECSFactory.makeButton("Login"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
row3.addElement(new TD(new StringElement("&nbsp; "))); row3.addElement(new TD(new StringElement("&nbsp; ")));
row3.addElement(new TD(b)).setAlign("right"); row3.addElement(new TD(b)).setAlign("right");
@ -102,7 +103,7 @@ public class LogSpoofing extends LessonAdapter
Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row4 = new TR(); TR row4 = new TR();
row4.addElement(new TD(new PRE("Login failed for username: " + inputUsername))).setBgColor(HtmlColor.GRAY); row4.addElement(new TD(new PRE(WebGoatI18N.get("LoginFailedForUserName")+": " + inputUsername))).setBgColor(HtmlColor.GRAY);
t2.addElement(row4); t2.addElement(row4);
@ -111,7 +112,7 @@ public class LogSpoofing extends LessonAdapter
if (inputUsername.length() != 0 if (inputUsername.length() != 0
&& inputUsername.toUpperCase().indexOf( && inputUsername.toUpperCase().indexOf(
System.getProperty("line.separator") System.getProperty("line.separator")
+ "LOGIN SUCCEEDED FOR USERNAME:") >= 0) + WebGoatI18N.get("LoginSucceededForUserName")+":") >= 0)
{ {
makeSuccess(s); makeSuccess(s);
} }
@ -134,12 +135,10 @@ public class LogSpoofing extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("Try to fool the human eye by using new lines."); hints.add(WebGoatI18N.get("LogSpoofingHint1"));
hints.add("Use CR (%0d) and LF (%0a) for a new line."); hints.add(WebGoatI18N.get("LogSpoofingHint2"));
hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin"); hints.add(WebGoatI18N.get("LogSpoofingHint3"));
hints hints.add(WebGoatI18N.get("LogSpoofingHint4"));
.add("Try: Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;");
return hints; return hints;
} }

61
main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
View File

@ -16,6 +16,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -66,7 +67,7 @@ public class PathBasedAccessControl extends LessonAdapter
try try
{ {
String dir = s.getContext().getRealPath("/lesson_plans"); String dir = s.getContext().getRealPath("/lesson_plans/English");
File d = new File(dir); File d = new File(dir);
Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center"); Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
@ -77,8 +78,8 @@ public class PathBasedAccessControl extends LessonAdapter
} }
String[] list = d.list(); String[] list = d.list();
String listing = " <p><B>Current Directory is:</B> " + Encoding.urlDecode(dir) String listing = " <p><B>"+WebGoatI18N.get("CurrentDirectory")+"</B> " + Encoding.urlDecode(dir)
+ "<br><br> Choose the file to view:</p>"; + "<br><br>"+WebGoatI18N.get("ChooseFileToView")+"</p>";
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing))); tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing)));
@ -86,7 +87,7 @@ public class PathBasedAccessControl extends LessonAdapter
tr = new TR(); tr = new TR();
tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15))); tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("View File"))); tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("ViewFile"))));
t.addElement(tr); t.addElement(tr);
ec.addElement(t); ec.addElement(t);
@ -105,17 +106,13 @@ public class PathBasedAccessControl extends LessonAdapter
// file // file
if (upDirCount(file) == 3 && !file.endsWith("LICENSE")) if (upDirCount(file) == 3 && !file.endsWith("LICENSE"))
{ {
s.setMessage("Access denied"); s.setMessage(WebGoatI18N.get("AccessDenied"));
s.setMessage("It appears that you are on the right track. " s.setMessage(WebGoatI18N.get("ItAppears1"));
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see one file in this directory. ");
} }
else if (upDirCount(file) > 3) else if (upDirCount(file) > 3)
{ {
s.setMessage("Access denied"); s.setMessage(WebGoatI18N.get("AccessDenied"));
s.setMessage("It appears that you are on the right track. " s.setMessage(WebGoatI18N.get("ItAppears2"));
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see files in the webgoat directory. ");
} }
else else
{ {
@ -134,13 +131,13 @@ public class PathBasedAccessControl extends LessonAdapter
if (s.isDebug()) if (s.isDebug())
{ {
s.setMessage("File: " + file); s.setMessage(WebGoatI18N.get("File") + file);
s.setMessage("Dir: " + dir); s.setMessage(WebGoatI18N.get("Dir")+ dir);
// s.setMessage("File URI: " + "file:///" + // s.setMessage("File URI: " + "file:///" +
// (Encoding.urlEncode(dir) + "\\" + // (Encoding.urlEncode(dir) + "\\" +
// Encoding.urlEncode(file)).replaceAll("\\\\","/")); // Encoding.urlEncode(file)).replaceAll("\\\\","/"));
s.setMessage(" - isFile(): " + f.isFile()); s.setMessage(WebGoatI18N.get("IsFile")+ f.isFile());
s.setMessage(" - exists(): " + f.exists()); s.setMessage(WebGoatI18N.get("Exists") + f.exists());
} }
if (!illegalCommand) if (!illegalCommand)
{ {
@ -150,21 +147,21 @@ public class PathBasedAccessControl extends LessonAdapter
// directory listing we gave them. // directory listing we gave them.
if (upDirCount(file) >= 1) if (upDirCount(file) >= 1)
{ {
s.setMessage("Congratulations! Access to file allowed"); s.setMessage(WebGoatI18N.get("CongratsAccessToFileAllowed"));
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
makeSuccess(s); makeSuccess(s);
} }
else else
{ {
s.setMessage("File is already in allowed directory - try again!"); s.setMessage(WebGoatI18N.get("FileInAllowedDirectory"));
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
} }
} }
else if (file != null && file.length() != 0) else if (file != null && file.length() != 0)
{ {
s s
.setMessage("Access to file/directory \"" + Encoding.urlDecode(f.getCanonicalPath()) .setMessage(WebGoatI18N.get("AccessToFileDenied1") + Encoding.urlDecode(f.getCanonicalPath())
+ "\" denied"); + WebGoatI18N.get("AccessToFileDenied2"));
} }
else else
{ {
@ -178,11 +175,11 @@ public class PathBasedAccessControl extends LessonAdapter
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new HR().setWidth("100%")); ec.addElement(new HR().setWidth("100%"));
ec.addElement("Viewing file: " + f.getCanonicalPath()); ec.addElement(WebGoatI18N.get("ViewingFile")+ f.getCanonicalPath());
ec.addElement(new HR().setWidth("100%")); ec.addElement(new HR().setWidth("100%"));
if (f.length() > 80000) { throw new Exception("File is too large"); } if (f.length() > 80000) { throw new Exception(WebGoatI18N.get("FileTooLarge")); }
String fileData = getFileText(new BufferedReader(new FileReader(f)), false); String fileData = getFileText(new BufferedReader(new FileReader(f)), false);
if (fileData.indexOf(0x00) != -1) { throw new Exception("File is binary"); } if (fileData.indexOf(0x00) != -1) { throw new Exception(WebGoatI18N.get("FileBinary")); }
ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>") ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>")
.replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>") .replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
.replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll("<(r|u|t)", .replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll("<(r|u|t)",
@ -190,13 +187,13 @@ public class PathBasedAccessControl extends LessonAdapter
} catch (Exception e) } catch (Exception e)
{ {
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement("The following error occurred while accessing the file: <"); ec.addElement(WebGoatI18N.get("TheFollowingError"));
ec.addElement(e.getMessage()); ec.addElement(e.getMessage());
} }
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating")+ this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -233,10 +230,10 @@ public class PathBasedAccessControl extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("Most operating systems allow special characters in the path."); hints.add(WebGoatI18N.get("PathBasedAccessControlHint1"));
hints.add("Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory"); hints.add(WebGoatI18N.get("PathBasedAccessControlHint2"));
hints.add("Try .. in the path"); hints.add(WebGoatI18N.get("PathBasedAccessControlHint3"));
hints.add("Try ..\\..\\..\\LICENSE"); hints.add(WebGoatI18N.get("PathBasedAccessControlHint4"));
return hints; return hints;
} }
@ -248,11 +245,7 @@ public class PathBasedAccessControl extends LessonAdapter
*/ */
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
String instructions = "The '" + s.getUserName() + "' user has access to all the files in the " String instructions = WebGoatI18N.get("PathBasedAccessControlInstr1")+ s.getUserName() + WebGoatI18N.get("PathBasedAccessControlInstr2");
+ "lesson_plans directory. Try to break the access control mechanism and access a "
+ "resource that is not in the listed directory. After selecting a file to view, WebGoat "
+ "will report if access to the file was granted. An interesting file to try and obtain might "
+ "be a file like tomcat/conf/tomcat-users.xml";
return (instructions); return (instructions);
} }

52
main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
View File

@ -19,6 +19,7 @@ import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder; import org.owasp.webgoat.util.HtmlEncoder;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -87,13 +88,13 @@ public class ReflectedXSS extends LessonAdapter
makeSuccess(s); makeSuccess(s);
} }
s.setMessage("Whoops! You entered " + param1 + " instead of your three digit code. Please try again."); s.setMessage(WebGoatI18N.get("ReflectedXSSWhoops1")+ param1 + WebGoatI18N.get("ReflectedXSSWhoops2"));
} }
// FIXME: encode output of field2, then s.setMessage( field2 ); // FIXME: encode output of field2, then s.setMessage( field2 );
ec.addElement(new HR().setWidth("90%")); ec.addElement(new HR().setWidth("90%"));
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart "))); ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart"))));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
if (s.isColor()) if (s.isColor())
@ -102,10 +103,10 @@ public class ReflectedXSS extends LessonAdapter
} }
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%")); tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%"));
tr.addElement(new TH().addElement("Price").setWidth("10%")); tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%")); tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%")); tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -170,24 +171,24 @@ public class ReflectedXSS extends LessonAdapter
ec.addElement(new BR()); ec.addElement(new BR());
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:")); tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":"));
tr.addElement(new TD().addElement(money.format(runningTotal))); tr.addElement(new TD().addElement(money.format(runningTotal)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart"))); tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart"))));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2)); tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("Enter your credit card number:")); tr.addElement(new TD().addElement(WebGoatI18N.get("EnterCreditCard")+":"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2))); tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("Enter your three digit access code:")); tr.addElement(new TD().addElement(WebGoatI18N.get("Enter3DigitCode")+":"));
tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>")); tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1))); // tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
t.addElement(tr); t.addElement(tr);
Element b = ECSFactory.makeButton("Purchase"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Purchase"));
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center")); tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
t.addElement(tr); t.addElement(tr);
@ -197,7 +198,7 @@ public class ReflectedXSS extends LessonAdapter
ec.addElement(new HR().setWidth("90%")); ec.addElement(new HR().setWidth("90%"));
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
return (ec); return (ec);
@ -221,16 +222,12 @@ public class ReflectedXSS extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("A simple script is &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;."); hints.add(WebGoatI18N.get("ReflectedXSSHint1"));
hints.add("Can you get the script to disclose the JSESSIONID cookie?"); hints.add(WebGoatI18N.get("ReflectedXSSHint2"));
hints.add("You can use &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; to access the session id cookie"); hints.add(WebGoatI18N.get("ReflectedXSSHint3"));
hints.add("Can you get the script to access the credit card form field?"); hints.add(WebGoatI18N.get("ReflectedXSSHint4"));
hints hints.add(WebGoatI18N.get("ReflectedXSSHint5"));
.add("Try a cross site trace (XST) Command:<br>"
+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); "
+ "document.write(str1);}&lt;/script&gt;");
return hints; return hints;
} }
@ -238,16 +235,7 @@ public class ReflectedXSS extends LessonAdapter
// = new // = new
// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); // ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script> // xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(120); private final static Integer DEFAULT_RANKING = new Integer(120);

17
main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
View File

@ -6,6 +6,7 @@ import java.util.List;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -56,11 +57,6 @@ public class RemoteAdminFlaw extends LessonAdapter
{ {
makeSuccess(s); makeSuccess(s);
} }
else
{
ec.addElement("WebGoat has an admin interface. To 'complete' this lesson you must figure "
+ "out how to access the administrative interface for WebGoat.");
}
return ec; return ec;
} }
@ -83,12 +79,11 @@ public class RemoteAdminFlaw extends LessonAdapter
public List<String> getHints(WebSession s) public List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("WebGoat has 2 admin interfaces."); hints.add(WebGoatI18N.get("RemoteAdminFlawHint1"));
hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'"); hints.add(WebGoatI18N.get("RemoteAdminFlawHint2"));
hints hints.add(WebGoatI18N.get("RemoteAdminFlawHint3"));
.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'"); hints.add(WebGoatI18N.get("RemoteAdminFlawHint4"));
hints.add("Follow the Source!"); hints.add(WebGoatI18N.get("RemoteAdminFlawHint5"));
hints.add("On success you will see new submenu items in the menupoint 'Admin Functions'");
return hints; return hints;
} }

34
main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -22,6 +22,7 @@ import org.apache.ecs.html.Select;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -130,17 +131,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
getLessonTracker(s).setStage(2); getLessonTracker(s).setStage(2);
StringBuffer msg = new StringBuffer(); StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! "); msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage"));
msg.append("This lesson has detected your successfull attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");
s.setMessage(msg.toString()); s.setMessage(msg.toString());
} }
} }
else else
{ {
ec.addElement("No results matched. Try Again."); ec.addElement(WebGoatI18N.get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
@ -149,7 +147,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -160,8 +158,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement("Now that you have successfully performed an SQL injection, try the same " ec.addElement(WebGoatI18N.get("NumericSqlInjectionSecondStage2"));
+ " type of attack on a parameterized query.");
// if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart")) // if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart"))
// { // {
// getLessonTracker(s).setStage(1); // getLessonTracker(s).setStage(1);
@ -205,14 +202,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
} }
else else
{ {
ec.addElement("No results matched. Try Again."); ec.addElement(WebGoatI18N.get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
{ {
ec.addElement(new P().addElement(sqle.getMessage())); ec.addElement(new P().addElement(sqle.getMessage()));
} catch (NumberFormatException npe) } catch (NumberFormatException npe)
{ {
ec.addElement(new P().addElement("Error parsing station as a number: " + npe.getMessage())); ec.addElement(new P().addElement(WebGoatI18N.get("ErrorParsingAsNumber") + npe.getMessage()));
} }
} catch (Exception e) } catch (Exception e)
{ {
@ -227,7 +224,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Select your local weather station: ")); ec.addElement(new P().addElement(WebGoatI18N.get("SelectYourStation")));
Map<String, String> stations = getStations(s); Map<String, String> stations = getStations(s);
Select select = new Select(STATION_ID); Select select = new Select(STATION_ID);
@ -240,7 +237,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
ec.addElement(select); ec.addElement(select);
ec.addElement(new P()); ec.addElement(new P());
Element b = ECSFactory.makeButton("Go!"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b); ec.addElement(b);
return ec; return ec;
@ -310,13 +307,12 @@ public class SqlNumericInjection extends SequentialLessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints hints.add(WebGoatI18N.get("SqlNumericInjectionHint1"));
.add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command."); hints.add(WebGoatI18N.get("SqlNumericInjectionHint2"));
hints.add("This is the code for the query being built and issued by WebGoat:<br><br> " hints.add(WebGoatI18N.get("SqlNumericInjectionHint3"));
+ "\"SELECT * FROM weather_data WHERE station = \" + station "); hints.add(WebGoatI18N.get("SqlNumericInjectionHint4"));
hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
+ "Try appending a SQL statement that always resolves to true.");
hints.add("Try to intercept the post request with WebScarab and replace the station " + "with [ 101 OR 1 = 1 ].");
return hints; return hints;
} }

33
main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -18,6 +18,7 @@ import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -113,17 +114,14 @@ public class SqlStringInjection extends SequentialLessonAdapter
StringBuffer msg = new StringBuffer(); StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! "); msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage1"));
msg.append("This lesson has detected your successful attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");
s.setMessage(msg.toString()); s.setMessage(msg.toString());
} }
} }
else else
{ {
ec.addElement("No results matched. Try Again."); ec.addElement(WebGoatI18N.get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
{ {
@ -132,7 +130,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -143,9 +141,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement("Now that you have successfully performed an SQL injection, try the same " ec.addElement(WebGoatI18N.get("StringSqlInjectioNSecondStage"));
+ " type of attack on a parameterized query. Restart the lesson if you wish "
+ " to return to the injectable query");
if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart")) if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
{ {
getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1"); getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
@ -184,7 +180,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
} }
else else
{ {
ec.addElement("No results matched. Try Again."); ec.addElement(WebGoatI18N.get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
{ {
@ -192,7 +188,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -202,13 +198,13 @@ public class SqlStringInjection extends SequentialLessonAdapter
protected Element makeAccountLine(WebSession s) protected Element makeAccountLine(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Enter your last name: ")); ec.addElement(new P().addElement(WebGoatI18N.get("EnterLastName")));
accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name"); accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString()); Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
ec.addElement(input); ec.addElement(input);
Element b = ECSFactory.makeButton("Go!"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b); ec.addElement(b);
return ec; return ec;
@ -233,12 +229,11 @@ public class SqlStringInjection extends SequentialLessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
hints.add("This is the code for the query being built and issued by WebGoat:<br><br> " hints.add(WebGoatI18N.get("SqlStringInjectionHint1"));
+ "\"SELECT * FROM user_data WHERE last_name = \" + accountName "); hints.add(WebGoatI18N.get("SqlStringInjectionHint2"));
hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR." hints.add(WebGoatI18N.get("SqlStringInjectionHint3"));
+ "Try appending a SQL statement that always resolves to true"); hints.add(WebGoatI18N.get("SqlStringInjectionHint4"));
hints.add("Try entering [ smith' OR '1' = '1 ].");
return hints; return hints;
} }

36
main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -23,6 +23,7 @@ import org.apache.ecs.html.Table;
import org.apache.ecs.html.TextArea; import org.apache.ecs.html.TextArea;
import org.owasp.webgoat.session.*; import org.owasp.webgoat.session.*;
import org.owasp.webgoat.util.HtmlEncoder; import org.owasp.webgoat.util.HtmlEncoder;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -114,7 +115,7 @@ public class StoredXss extends LessonAdapter
// like "Characters found after end of SQL statement." // like "Characters found after end of SQL statement."
if (e.getMessage().indexOf("No ResultSet was produced") == -1) if (e.getMessage().indexOf("No ResultSet was produced") == -1)
{ {
s.setMessage("Could not add message to database"); s.setMessage(WebGoatI18N.get("CouldNotAddMessage"));
} }
e.printStackTrace(); e.printStackTrace();
} }
@ -159,11 +160,12 @@ public class StoredXss extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("You can put HTML tags in your message."); hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add("Bury a SCRIPT tag in the message to attack anyone who reads it."); hints.add(WebGoatI18N.get("StoredXssHint1"));
hints hints.add(WebGoatI18N.get("StoredXssHint1"));
.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field."); hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add("Enter this: &lt;script&gt;alert(document.cookie);&lt;/script&gt; in the message field.");
return hints; return hints;
} }
@ -217,14 +219,14 @@ public class StoredXss extends LessonAdapter
if ((results != null) && results.first()) if ((results != null) && results.first())
{ {
ec.addElement(new H1("Message Contents For: " + results.getString(TITLE_COL))); ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor")+": " + results.getString(TITLE_COL)));
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(new TD(new B(new StringElement("Title:")))); TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title")+":"))));
row1.addElement(new TD(new StringElement(results.getString(TITLE_COL)))); row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
t.addElement(row1); t.addElement(row1);
String messageData = results.getString(MESSAGE_COL); String messageData = results.getString(MESSAGE_COL);
TR row2 = new TR(new TD(new B(new StringElement("Message:")))); TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message")+":"))));
row2.addElement(new TD(new StringElement(messageData))); row2.addElement(new TD(new StringElement(messageData)));
t.addElement(row2); t.addElement(row2);
@ -234,7 +236,7 @@ public class StoredXss extends LessonAdapter
// message, // message,
// they can see that the message is attributed to that user // they can see that the message is attributed to that user
TR row3 = new TR(new TD(new StringElement("Posted By:"))); TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy")+":")));
row3.addElement(new TD(new StringElement(results.getString(USER_COL)))); row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
t.addElement(row3); t.addElement(row3);
@ -253,12 +255,12 @@ public class StoredXss extends LessonAdapter
{ {
if (messageNum != 0) if (messageNum != 0)
{ {
ec.addElement(new P().addElement("Could not find message " + messageNum)); ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
} }
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -277,14 +279,14 @@ public class StoredXss extends LessonAdapter
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new StringElement("Title: "))); row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title")+": ")));
Input inputTitle = new Input(Input.TEXT, TITLE, ""); Input inputTitle = new Input(Input.TEXT, TITLE, "");
row1.addElement(new TD(inputTitle)); row1.addElement(new TD(inputTitle));
TD item1 = new TD(); TD item1 = new TD();
item1.setVAlign("TOP"); item1.setVAlign("TOP");
item1.addElement(new StringElement("Message: ")); item1.addElement(new StringElement(WebGoatI18N.get("Message")+": "));
row2.addElement(item1); row2.addElement(item1);
TD item2 = new TD(); TD item2 = new TD();
@ -294,7 +296,7 @@ public class StoredXss extends LessonAdapter
t.addElement(row1); t.addElement(row1);
t.addElement(row2); t.addElement(row2);
Element b = ECSFactory.makeButton("Submit"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit"));
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(t); ec.addElement(t);
ec.addElement(new P().addElement(b)); ec.addElement(new P().addElement(b));
@ -343,11 +345,11 @@ public class StoredXss extends LessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error while getting message list."); s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList"));
} }
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new H1("Message List")); ec.addElement(new H1(WebGoatI18N.get("MessageList")));
ec.addElement(t); ec.addElement(t);
return (ec); return (ec);

54
main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
View File

@ -18,6 +18,7 @@ import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*; import org.owasp.webgoat.session.*;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -103,7 +104,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
} }
else else
{ {
s.setMessage("Invalid cookie"); s.setMessage(WebGoatI18N.get("InvalidCookie"));
s.eatCookies(); s.eatCookies();
} }
} }
@ -141,14 +142,14 @@ public class WeakAuthenticationCookie extends LessonAdapter
if (loginID != "") if (loginID != "")
{ {
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID); Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage("Your identity has been remembered"); s.setMessage(WebGoatI18N.get("IdentityRemembered"));
s.getResponse().addCookie(newCookie); s.getResponse().addCookie(newCookie);
return (username); return (username);
} }
else else
{ {
s.setMessage("Invalid username and password entered."); s.setMessage(WebGoatI18N.get("InvalidUsernameAndPassword"));
} }
} }
@ -168,7 +169,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
if (logout) if (logout)
{ {
s.setMessage("Goodbye! Your password has been forgotten"); s.setMessage(WebGoatI18N.get("PasswordForgotten"));
s.eatCookies(); s.eatCookies();
return (makeLogin(s)); return (makeLogin(s));
@ -185,7 +186,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); } if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -250,27 +251,16 @@ public class WeakAuthenticationCookie extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("The server authenticates the user using a cookie, if you send the right cookie."); hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints1"));
hints.add("Is the AuthCookie value guessable knowing the username and password?"); hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints2"));
hints.add("Add 'AuthCookie=********;' to the Cookie: header using " hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints3"));
+ "<A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>."); hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints4"));
hints.add("After logging in as webgoat a cookie is added. 65432ubphcfx<br/>"
+ "After logging in as aspect a cookie is added. 65432udfqtb<br/>"
+ "Is there anything similar about the cookies and the login names?");
return hints; return hints;
} }
/**
* Gets the instructions attribute of the WeakAuthenticationCookie object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(90); private final static Integer DEFAULT_RANKING = new Integer(90);
@ -300,7 +290,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("Sign In ")); ec.addElement(new H1().addElement(WebGoatI18N.get("SignIn")));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center"); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor()) if (s.isColor())
@ -310,12 +300,12 @@ public class WeakAuthenticationCookie extends LessonAdapter
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH() tr.addElement(new TH()
.addElement("Please sign in to your account. See the OWASP admin if you do not have an account.") .addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left")); .setColSpan(2).setAlign("left"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%")); tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -324,8 +314,8 @@ public class WeakAuthenticationCookie extends LessonAdapter
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: ")))); row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")))));
row2.addElement(new TD(new B(new StringElement("*Password: ")))); row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")))));
Input input1 = new Input(Input.TEXT, USERNAME, ""); Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
@ -334,7 +324,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
t.addElement(row1); t.addElement(row1);
t.addElement(row2); t.addElement(row2);
Element b = ECSFactory.makeButton("Login"); Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
t.addElement(new TR(new TD(b))); t.addElement(new TR(new TD(b)));
ec.addElement(t); ec.addElement(t);
@ -357,10 +347,10 @@ public class WeakAuthenticationCookie extends LessonAdapter
protected Element makeUser(WebSession s, String user, String method) throws Exception protected Element makeUser(WebSession s, String user, String method) throws Exception
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Welcome, " + user)); ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser") + user));
ec.addElement(new P().addElement("You have been authenticated with " + method)); ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method));
ec.addElement(new P().addElement(ECSFactory.makeLink("Logout", LOGOUT, true))); ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Logout"), LOGOUT, true)));
ec.addElement(new P().addElement(ECSFactory.makeLink("Refresh", "", ""))); ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Refresh"), "", "")));
return (ec); return (ec);
} }

19
main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -4,6 +4,7 @@ package org.owasp.webgoat.session;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
@ -16,6 +17,7 @@ import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
/*************************************************************************************************** /***************************************************************************************************
* *
* *
@ -59,6 +61,7 @@ public class Course
private WebgoatContext webgoatContext; private WebgoatContext webgoatContext;
public Course() public Course()
{ {
try try
@ -71,6 +74,9 @@ public class Course
} }
} }
/** /**
* Take an absolute file and return the filename. * Take an absolute file and return the filename.
* *
@ -368,6 +374,15 @@ public class Course
} }
} }
private String getLanguageFromFileName(String first, String absoluteFile){
int p1 = absoluteFile.indexOf("/",absoluteFile.indexOf(first)+1);
int p2 = absoluteFile.indexOf("/",p1+1);
String langStr=absoluteFile.substring(p1+1,p2);
return new String(langStr);
}
/** /**
* For each lesson, set the source file and lesson file * For each lesson, set the source file and lesson file
*/ */
@ -402,7 +417,9 @@ public class Course
// lesson " + // lesson " +
// lesson.getClass().getName()); // lesson.getClass().getName());
// System.out.println("fileName: " + fileName + " == className: " + className ); // System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonPlanFileName(absoluteFile); String language = getLanguageFromFileName("/lesson_plans",absoluteFile);
lesson.setLessonPlanFileName(language, absoluteFile);
this.webgoatContext.getWebgoatI18N().loadLanguage(language);
} }
if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName)) && className.endsWith(fileName))

48
main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -23,6 +23,8 @@ import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.RandomLessonAdapter; import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.lessons.SequentialLessonAdapter; import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -143,6 +145,8 @@ public class WebSession
public final static String DEBUG = "debug"; public final static String DEBUG = "debug";
public final static String LANGUAGE = "language";
/** /**
* Description of the Field * Description of the Field
*/ */
@ -198,6 +202,10 @@ public class WebSession
private int currentMenu; private int currentMenu;
private String currentLanguage = null;
/** /**
* Constructor for the WebSession object * Constructor for the WebSession object
* *
@ -215,7 +223,9 @@ public class WebSession
showSource = webgoatContext.isShowSource(); showSource = webgoatContext.isShowSource();
showSolution = webgoatContext.isShowSolution(); showSolution = webgoatContext.isShowSolution();
showRequest = webgoatContext.isShowRequest(); showRequest = webgoatContext.isShowRequest();
currentLanguage = webgoatContext.getDefaultLanguage();
this.context = context; this.context = context;
course = new Course(); course = new Course();
course.loadCourses(webgoatContext, context, "/"); course.loadCourses(webgoatContext, context, "/");
} }
@ -290,6 +300,9 @@ public class WebSession
return context; return context;
} }
public List<String> getRoles() public List<String> getRoles()
{ {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
@ -591,20 +604,6 @@ public class WebSession
return (isAdmin); return (isAdmin);
} }
/**
* Sets the admin flag - this routine is ONLY
* here to allow someone a backdoor to setting the
* user up as an admin.
*
* This is also used by the WebSession to set the admin, but the method
* should be private
*
* @param state
*/
public void setAdmin(boolean state)
{
isAdmin = state;
}
/** /**
* Gets the hackedAdmin attribute of the WebSession object * Gets the hackedAdmin attribute of the WebSession object
* *
@ -728,7 +727,7 @@ public class WebSession
*/ */
public boolean isUser() public boolean isUser()
{ {
return (!isAdmin() && !isChallenge()); return (!isAdmin && !isChallenge());
} }
/** /**
@ -835,6 +834,12 @@ public class WebSession
myParser.update(request); myParser.update(request);
} }
if(myParser.getRawParameter(LANGUAGE,null)!=null){
this.currentLanguage=new String(myParser.getRawParameter(LANGUAGE,null));
WebGoatI18N.setCurrentLanguage(this.currentLanguage);
}
// System.out.println("Current Screen 1: " + currentScreen ); // System.out.println("Current Screen 1: " + currentScreen );
// System.out.println("Previous Screen 1: " + previousScreen ); // System.out.println("Previous Screen 1: " + previousScreen );
// FIXME: requires ?Logout=true // FIXME: requires ?Logout=true
@ -965,8 +970,8 @@ public class WebSession
} }
setAdmin(request.isUserInRole(WEBGOAT_ADMIN)); isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin()); isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
if (isHackedAdmin) if (isHackedAdmin)
{ {
System.out.println("Hacked admin"); System.out.println("Hacked admin");
@ -1006,9 +1011,6 @@ public class WebSession
RandomLessonAdapter rla = (RandomLessonAdapter) al; RandomLessonAdapter rla = (RandomLessonAdapter) al;
rla.setStage(this, rla.getStages()[0]); rla.setStage(this, rla.getStages()[0]);
} }
else if(al instanceof org.owasp.webgoat.lessons.MaliciousFileExecution) {
((org.owasp.webgoat.lessons.MaliciousFileExecution) al).restartLesson(this);
}
} }
/** /**
@ -1093,4 +1095,10 @@ public class WebSession
{ {
return webgoatContext; return webgoatContext;
} }
public String getCurrrentLanguage() {
return currentLanguage;
}
} }

23
main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -4,6 +4,8 @@ package org.owasp.webgoat.session;
import java.util.Iterator; import java.util.Iterator;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServlet;
import org.owasp.webgoat.util.WebGoatI18N;
public class WebgoatContext public class WebgoatContext
{ {
@ -40,6 +42,8 @@ public class WebgoatContext
public final static String DEBUG = "debug"; public final static String DEBUG = "debug";
public final static String DEFAULTLANGUAGE = "DefaultLanguage";
private String databaseConnectionString; private String databaseConnectionString;
private String realConnectionString = null; private String realConnectionString = null;
@ -76,6 +80,10 @@ public class WebgoatContext
private HttpServlet servlet; private HttpServlet servlet;
private String defaultLanguage;
private WebGoatI18N webgoati18n = null;
public WebgoatContext(HttpServlet servlet) public WebgoatContext(HttpServlet servlet)
{ {
this.servlet = servlet; this.servlet = servlet;
@ -100,6 +108,9 @@ public class WebgoatContext
showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
isDebug = "true".equals(getParameter(servlet, DEBUG)); isDebug = "true".equals(getParameter(servlet, DEBUG));
servletName = servlet.getServletName(); servletName = servlet.getServletName();
defaultLanguage = getParameter(servlet,DEFAULTLANGUAGE)!=null ? new String(getParameter(servlet, DEFAULTLANGUAGE)): new String("English");
webgoati18n = new WebGoatI18N(this);
} }
@ -222,4 +233,16 @@ public class WebgoatContext
return showSolution; return showSolution;
} }
public String getDefaultLanguage() {
return defaultLanguage;
}
public void setWebgoatiI18N(WebGoatI18N webgoati18n) {
this.webgoati18n = webgoati18n;
}
public WebGoatI18N getWebgoatI18N() {
return webgoati18n;
}
} }

41
main/project/JavaSource/org/owasp/webgoat/util/WebGoatI18N.java Normal file
View File

@ -0,0 +1,41 @@
package org.owasp.webgoat.util;
import java.util.HashMap;
import java.util.Locale;
import java.util.ResourceBundle;
import org.owasp.webgoat.session.WebgoatContext;
public class WebGoatI18N {
private static HashMap<String,ResourceBundle> labels= new HashMap<String,ResourceBundle>();
private static String defaultLanguage ;
private static String currentLanguage;
public WebGoatI18N(WebgoatContext context){
Locale l = new Locale(context.getDefaultLanguage());
WebGoatI18N.defaultLanguage=context.getDefaultLanguage();
labels.put(context.getDefaultLanguage(),ResourceBundle.getBundle("WebGoatLabels",l));
}
public static void loadLanguage(String language){
Locale l = new Locale(language);
labels.put(language, ResourceBundle.getBundle("WebGoatLabels",l));
}
public static void setCurrentLanguage(String language){
WebGoatI18N.currentLanguage=language;
}
public static String get(String strName) {
if(labels.containsKey(WebGoatI18N.currentLanguage)){
return labels.get(WebGoatI18N.currentLanguage).getString(strName);
}
else {
return labels.get(WebGoatI18N.defaultLanguage).getString(strName);
}
}
}

4
main/project/WebContent/css/webgoat.css
View File

@ -192,9 +192,9 @@ html>body #navBar li {}
#topRight { #topRight {
position:absolute; position:absolute;
left:715px; left:485px;
top:0px; top:0px;
width:75px; width:320px;
height:23px; height:23px;
z-index:3; z-index:3;
float: right; float: right;

7
main/project/WebContent/javascript/menu_system.js
View File

@ -1,3 +1,10 @@
function changeLanguage(){
var select=MM_findObj("language",null);
document.location="attack?language="+select.value;
}
function MM_findObj(n, d) { function MM_findObj(n, d) {
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) { var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);} d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}

0
main/project/WebContent/lesson_plans/AccessControlMatrix.html → main/project/WebContent/lesson_plans/English/AccessControlMatrix.html
View File

0
main/project/WebContent/lesson_plans/BackDoors.html → main/project/WebContent/lesson_plans/English/BackDoors.html
View File

0
main/project/WebContent/lesson_plans/BasicAuthentication.html → main/project/WebContent/lesson_plans/English/BasicAuthentication.html
View File

0
main/project/WebContent/lesson_plans/BlindSqlInjection.html → main/project/WebContent/lesson_plans/English/BlindSqlInjection.html
View File

0
main/project/WebContent/lesson_plans/BufferOverflow.html → main/project/WebContent/lesson_plans/English/BufferOverflow.html
View File

0
main/project/WebContent/lesson_plans/CSRF.html → main/project/WebContent/lesson_plans/English/CSRF.html
View File

0
main/project/WebContent/lesson_plans/ChallengeScreen.html → main/project/WebContent/lesson_plans/English/ChallengeScreen.html
View File

0
main/project/WebContent/lesson_plans/ClientSideFiltering.html → main/project/WebContent/lesson_plans/English/ClientSideFiltering.html
View File

0
main/project/WebContent/lesson_plans/ClientSideValidation.html → main/project/WebContent/lesson_plans/English/ClientSideValidation.html
View File

1
main/project/WebContent/lesson_plans/CommandInjection.html → main/project/WebContent/lesson_plans/English/CommandInjection.html
View File

@ -6,6 +6,7 @@
Command&nbsp; injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.<br/> Command&nbsp; injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.<br/>
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.<br/> Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.<br/>
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br/> It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br/>
Try to inject a command to the operating system.
<!-- Stop Instructions --> <!-- Stop Instructions -->
<p><b>General Goal(s):</b></p> <p><b>General Goal(s):</b></p>
The user should be able to execute any command on the hosting OS. The user should be able to execute any command on the hosting OS.

0
main/project/WebContent/lesson_plans/ConcurrencyCart.html → main/project/WebContent/lesson_plans/English/ConcurrencyCart.html
View File

0
main/project/WebContent/lesson_plans/CrossSiteScripting.html → main/project/WebContent/lesson_plans/English/CrossSiteScripting.html
View File

0
main/project/WebContent/lesson_plans/CsrfPromptByPass.html → main/project/WebContent/lesson_plans/English/CsrfPromptByPass.html
View File

0
main/project/WebContent/lesson_plans/CsrfTokenByPass.html → main/project/WebContent/lesson_plans/English/CsrfTokenByPass.html
View File

0
main/project/WebContent/lesson_plans/DBCrossSiteScripting.html → main/project/WebContent/lesson_plans/English/DBCrossSiteScripting.html
View File

0
main/project/WebContent/lesson_plans/DBSQLInjection.html → main/project/WebContent/lesson_plans/English/DBSQLInjection.html
View File

0
main/project/WebContent/lesson_plans/DOMInjection.html → main/project/WebContent/lesson_plans/English/DOMInjection.html
View File

0
main/project/WebContent/lesson_plans/DOMXSS.html → main/project/WebContent/lesson_plans/English/DOMXSS.html
View File

0
main/project/WebContent/lesson_plans/DOS_Login.html → main/project/WebContent/lesson_plans/English/DOS_Login.html
View File

0
main/project/WebContent/lesson_plans/DangerousEval.html → main/project/WebContent/lesson_plans/English/DangerousEval.html
View File

0
main/project/WebContent/lesson_plans/Encoding.html → main/project/WebContent/lesson_plans/English/Encoding.html
View File

0
main/project/WebContent/lesson_plans/FailOpenAuthentication.html → main/project/WebContent/lesson_plans/English/FailOpenAuthentication.html
View File

0
main/project/WebContent/lesson_plans/ForcedBrowsing.html → main/project/WebContent/lesson_plans/English/ForcedBrowsing.html
View File

0
main/project/WebContent/lesson_plans/ForgotPassword.html → main/project/WebContent/lesson_plans/English/ForgotPassword.html
View File

7
main/project/WebContent/lesson_plans/HiddenFieldTampering.html → main/project/WebContent/lesson_plans/English/HiddenFieldTampering.html
View File

@ -2,8 +2,11 @@
<p><b>Lesson Plan Title:</b> How to Exploit Hidden Fields </p> <p><b>Lesson Plan Title:</b> How to Exploit Hidden Fields </p>
</div> </div>
<p><b>Concept / Topic To Teach:</b> </p> <p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified <br> Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified <br>
<!-- Stop Instructions -->
<p><b>General Goal(s):</b> </p> <p><b>General Goal(s):</b> </p>
The user should be able to exploit a hidden field to obtain a product at an incorrect price. The user should be able to exploit a hidden field to obtain a product at an incorrect price.
<!-- Start Instructions -->
Try to purchase the HDTV for less than the purchase price, if you have not done so already.
<!-- Stop Instructions -->

0
main/project/WebContent/lesson_plans/HowToWork.html → main/project/WebContent/lesson_plans/English/HowToWork.html
View File

3
main/project/WebContent/lesson_plans/HtmlClues.html → main/project/WebContent/lesson_plans/English/HtmlClues.html
View File

@ -5,7 +5,8 @@
<p><b>Concept / Topic To Teach:</b> </p> <p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions --> <!-- Start Instructions -->
Developers are notorious for leaving statements like FIXME's, TODO's, Code Broken, Hack, etc... inside the source code. &nbsp;Review the source code for any comments denoting&nbsp; passwords, backdoors, or something doesn't work right.&nbsp; Developers are notorious for leaving statements like FIXME's, TODO's, Code Broken, Hack, etc... inside the source code. &nbsp;Review the source code for any comments denoting&nbsp; passwords, backdoors, or something doesn't work right.&nbsp;
Below is an example of a forms based authentication form. Look for clues to help you log in.
<!-- Stop Instructions --> <!-- Stop Instructions -->
<br> <br>
<p><b>General Goal(s):</b> </p> <p><b>General Goal(s):</b> </p>
The user should be able to bypass the authentication check. The user should be able to bypass the authentication check.

0
main/project/WebContent/lesson_plans/HttpBasics.html → main/project/WebContent/lesson_plans/English/HttpBasics.html
View File

0
main/project/WebContent/lesson_plans/HttpOnly.html → main/project/WebContent/lesson_plans/English/HttpOnly.html
View File

0
main/project/WebContent/lesson_plans/HttpSplitting.html → main/project/WebContent/lesson_plans/English/HttpSplitting.html
View File

0
main/project/WebContent/lesson_plans/InsecureLogin.html → main/project/WebContent/lesson_plans/English/InsecureLogin.html
View File

0
main/project/WebContent/lesson_plans/JSONInjection.html → main/project/WebContent/lesson_plans/English/JSONInjection.html
View File

8
main/project/WebContent/lesson_plans/JavaScriptValidation.html → main/project/WebContent/lesson_plans/English/JavaScriptValidation.html
View File

@ -2,9 +2,13 @@
<p><b>Lesson Plan Title:</b> How to Bypass Client Side JavaScript Validation </p> <p><b>Lesson Plan Title:</b> How to Bypass Client Side JavaScript Validation </p>
</div> </div>
<p><b>Concept / Topic To Teach:</b> </p> <p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application. Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application.
<!-- Stop Instructions -->
<br> <br>
<p><b>General Goal(s):</b> </p> <p><b>General Goal(s):</b> </p>
For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting. <br> For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting. <br>
<!-- Start Instructions -->
This website performs both client and server side validation. For this exercise, your job is to break the client side validation and send the
website input that it wasn't expecting. <b> You must break all 7 validators at the same time. </b>
<!-- Stop Instructions -->

0
main/project/WebContent/lesson_plans/Lesson_Plan_Template.html → main/project/WebContent/lesson_plans/English/Lesson_Plan_Template.html
View File

0
main/project/WebContent/lesson_plans/LogSpoofing.html → main/project/WebContent/lesson_plans/English/LogSpoofing.html
View File

0
main/project/WebContent/lesson_plans/MultiLevelLogin1.html → main/project/WebContent/lesson_plans/English/MultiLevelLogin1.html
View File

0
main/project/WebContent/lesson_plans/MultiLevelLogin2.html → main/project/WebContent/lesson_plans/English/MultiLevelLogin2.html
View File

0
main/project/WebContent/lesson_plans/NewLesson.html → main/project/WebContent/lesson_plans/English/NewLesson.html
View File

0
main/project/WebContent/lesson_plans/PasswordStrength.html → main/project/WebContent/lesson_plans/English/PasswordStrength.html
View File

0
main/project/WebContent/lesson_plans/PathBasedAccessControl.html → main/project/WebContent/lesson_plans/English/PathBasedAccessControl.html
View File

0
main/project/WebContent/lesson_plans/Phishing.html → main/project/WebContent/lesson_plans/English/Phishing.html
View File

0
main/project/WebContent/lesson_plans/ReflectedXSS.html → main/project/WebContent/lesson_plans/English/ReflectedXSS.html
View File

0
main/project/WebContent/lesson_plans/RemoteAdminFlaw.html → main/project/WebContent/lesson_plans/English/RemoteAdminFlaw.html
View File

0
main/project/WebContent/lesson_plans/RoleBasedAccessControl.html → main/project/WebContent/lesson_plans/English/RoleBasedAccessControl.html
View File

0
main/project/WebContent/lesson_plans/SQLInjection.html → main/project/WebContent/lesson_plans/English/SQLInjection.html
View File

0
main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html → main/project/WebContent/lesson_plans/English/SameOriginPolicyProtection.html
View File

0
main/project/WebContent/lesson_plans/SessionFixation.html → main/project/WebContent/lesson_plans/English/SessionFixation.html
View File

0
main/project/WebContent/lesson_plans/SilentTransactions.html → main/project/WebContent/lesson_plans/English/SilentTransactions.html
View File

0
main/project/WebContent/lesson_plans/SoapRequest.html → main/project/WebContent/lesson_plans/English/SoapRequest.html
View File

0
main/project/WebContent/lesson_plans/SqlNumericInjection.html → main/project/WebContent/lesson_plans/English/SqlNumericInjection.html
View File

0
main/project/WebContent/lesson_plans/SqlStringInjection.html → main/project/WebContent/lesson_plans/English/SqlStringInjection.html
View File

0
main/project/WebContent/lesson_plans/StoredXss.html → main/project/WebContent/lesson_plans/English/StoredXss.html
View File

0
main/project/WebContent/lesson_plans/ThreadSafetyProblem.html → main/project/WebContent/lesson_plans/English/ThreadSafetyProblem.html
View File

0
main/project/WebContent/lesson_plans/TomcatSetup.html → main/project/WebContent/lesson_plans/English/TomcatSetup.html
View File

0
main/project/WebContent/lesson_plans/TraceXSS.html → main/project/WebContent/lesson_plans/English/TraceXSS.html
View File

0
main/project/WebContent/lesson_plans/UncheckedEmail.html → main/project/WebContent/lesson_plans/English/UncheckedEmail.html
View File

0
main/project/WebContent/lesson_plans/UsefulTools.html → main/project/WebContent/lesson_plans/English/UsefulTools.html
View File

0
main/project/WebContent/lesson_plans/WSDLScanning.html → main/project/WebContent/lesson_plans/English/WSDLScanning.html
View File

6
main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html → main/project/WebContent/lesson_plans/English/WeakAuthenticationCookie.html
View File

@ -3,8 +3,10 @@
</div> </div>
<p><b>Concept / Topic To Teach:</b> </p> <p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
Many applications will automatically log a user into their site if the right authentication cookie is specified. &nbsp; Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained. &nbsp;Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability. &nbsp;Some times the cookies maybe intercepted using Cross site scripting. &nbsp;This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.<br> Many applications will automatically log a user into their site if the right authentication cookie is specified. &nbsp; Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained. &nbsp;Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability. &nbsp;Some times the cookies maybe intercepted using Cross site scripting. &nbsp;This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.<br>
<!-- Stop Instructions -->
<p><b>General Goal(s):</b> </p> <p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
The user should be able to bypass the authentication check. The user should be able to bypass the authentication check.
Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice.
<!-- Stop Instructions -->

0
main/project/WebContent/lesson_plans/WeakSessionID.html → main/project/WebContent/lesson_plans/English/WeakSessionID.html
View File

0
main/project/WebContent/lesson_plans/WelcomeScreeen.html → main/project/WebContent/lesson_plans/English/WelcomeScreeen.html
View File

0
main/project/WebContent/lesson_plans/WsSAXInjection.html → main/project/WebContent/lesson_plans/English/WsSAXInjection.html
View File

0
main/project/WebContent/lesson_plans/WsSqlInjection.html → main/project/WebContent/lesson_plans/English/WsSqlInjection.html
View File

0
main/project/WebContent/lesson_plans/XMLInjection.html → main/project/WebContent/lesson_plans/English/XMLInjection.html
View File

0
main/project/WebContent/lesson_plans/XPATHInjection.html → main/project/WebContent/lesson_plans/English/XPATHInjection.html
View File

15
main/project/WebContent/lesson_plans/German/BasicAuthentication.html Normal file
View File

@ -0,0 +1,15 @@
<div align="Center">
<p><b>Lehrplan:</b> Basic Authentication </p>
</div>
<p><b>Lehrinhalt:</b></p>
<!-- Start Instructions -->
"Basic Authentication" wird benutzt um Server-seitige Resource zu schützen. Wird eine Anfrage an eine geschützte Resource gestellt, so sendet der Webserver ein "401 authentication request" mit der Antwort auf diese Anfrage.
Dann fragt, auf der Client Seite, der Browser den Benutzer mittels einer Dialogbox nach Benutzername und Passwort für diese Resource.
Der Browser enkodiert Benutzername und Passwort mit base64 und sendet diese Zugangsdaten zum Webserver.
Daraufhin validiert der Webserver Benutzername und Passwort und gibt als Antwort die angeforderte Resource zurück falls die übermittelten Zugangsdaten korrekt sind.
Die Zugangsdaten werden vom Browser bei jedem weiteren Zugriff auf geschützte Resourcen mitgesendet ohne dass der Benutzer
sie ein weiteres Mal eingeben muss.<br/>
<br/>
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b></p>
Das Ziel dieser Lektion ist es "Basic Authentication" zu verstehen und die folgenden Fragen zu beantworten.
<!-- Stop Instructions -->

16
main/project/WebContent/lesson_plans/German/CommandInjection.html Normal file
View File

@ -0,0 +1,16 @@
<div align="Center">
<p><b>Lehrplan:</b> Einschleusen von Programmcode</p>
</div>
<p><b>Konzept:</b></p>
Das Einschleusen von Programmcode stellt eine ernst zu nehmende Bedrohung für dynamische Webseiten dar. Entsprechende Angriffe
sind leicht zu lernen und der verursachte Schaden ist schwer bzw. entspricht der Kompromittierung des kompletten Systems.
Trotz dieses Gefahrenpotentials ist eine unglaubliche Anzahl von Systemen im Internet für diese Form des Angriffs verwundbar.
Dieser Angriff ist zwar leicht durchzuführen, allerdings ist er auch mit ein wenig gesundem Menschenverstand und Vorausdenken
leicht zu verhindern. Die anerkannte Vorgehensweise zur Verhinderung dieser Angriffstypen
besteht darin alle Eingabedaten zu säubern, insbesondere die Daten die in Betriebssystembefehlen,
Skripten und Datenbankabfragen eingebaut werden.
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b></p>
<!-- Start Instructions -->
Schleusen Sie einen Befehl in das darunterliegende Betriebssystem ein.
<!-- Stop Instructions -->

14
main/project/WebContent/lesson_plans/German/HiddenFieldTampering.html Normal file
View File

@ -0,0 +1,14 @@
<div align="Center">
<p><b>Lehrplan:</b> Versteckte Felder ausnutzen </p>
</div>
<p><b>Konzept:</b> </p>
<!-- Start Instructions -->
Entwickler benutzen versteckte Formularfelder zur Besucherverfolgung, für den Login, für Preisinformationen und andere
Informationen. Dies ist ein sehr einfacher und bequemer Mechnismus für Entwickler, allerdings werden die Werte
diese Felder nur selten geprüft bevor sie benutzt werden. In dieser Lektion lernt man wie man versteckte Felder
zu seinem Vorteil manipulieren kann.
<br>
<!-- Stop Instructions -->
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
Nutzen Sie ein verstecktes Formularfeld aus, um den HD Fernseher zu einem falschen Preis zu kaufen.

13
main/project/WebContent/lesson_plans/German/HtmlClues.html Normal file
View File

@ -0,0 +1,13 @@
<div align="Center">
<p><b>Lehrplan:</b> Nützliche Hinweise in HTML entdecken. </p>
</div>
<p><b>Konzept:</b> </p>
<!-- Start Instructions -->
Entwickler lassen oftmals Kommentare wie FIXME's, TODO's, Code Broken, Hack usw. im Quellcode.
Durchsuchen Sie den Quellcode nach allem was für Sie nach Passwörtern, Hintertüren oder anderen Unregelmäßigkeiten aussieht.
<!-- Stop Instructions -->
<br>
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
Sie suchen und finden Hinweise im Quellcode die es Ihnen erlauben sich anzumelden.

29
main/project/WebContent/lesson_plans/German/HttpBasics.html Normal file
View File

@ -0,0 +1,29 @@
<div align="Center">
<p><b>Lehrplan:</b> Http Basics </p>
</div>
<p><b>Lehrinhalt:</b> </p>
Diese Lektion stellt die Verst&auml;ndnis-Grundlagen f&uuml;r den Datentransport zwischen Browser und Webapplikation dar.<br>
<div align="Left">
<p>
<b>So funktioniert HTTP:</b>
</p>
Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem Körper.
Der Client initiiert eine Transaktion wie folgt:<br>
<br>
Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
</div>
<br>
<ul>GET /index.html?param=value HTTP/1.0</ul>
Als n&auml;chstes sendet der Client optionale Kopfzeilen (Header) um den Server &uuml;ber die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
<br>
<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
<br>
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
<!-- Start Instructions -->
Geben Sie Ihren Namen in das Eingabefeld ein und drücken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zurückschicken. Dies stellt eine vollst&auml;ndige HTTP Transaktion dar!
<br/><br/>
Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Knöpfe f&uuml;r Hinweise (Hints), f&uuml;r das Anzeigen von Parametern(Parameters) oder Cookies und f&uuml;r das Anzeigen von Java-Quellcode ausprobiert werden.
Außerdem, k&ouml;nnen Sie hier WebScarab gut ausprobieren.
<!-- Stop Instructions -->

19
main/project/WebContent/lesson_plans/German/JavaScriptValidation.html Normal file
View File

@ -0,0 +1,19 @@
<div align="Center">
<p><b>Lehrplan:</b> Client-seitige JavaScript Validierung umgehen</p>
</div>
<p><b>Konzept:</b> </p>
Client-seitige Validierung sollte nicht als eine sichere Maßnahme zur Validierung von Parametern angesehen werden.
Diese Art der Validierung kann höchstens den Server entlasten und verhindern das normale Benutzer Eingabedaten in
einem falschen Format absenden. Angreifer hingegen, können diesen Mechanismus auf verschiedene Arten umgehen. Jede
Client-seitige Validierung sollte auf der Serverseite wiederholt werden. Dies verhindert, dass unsichere Parameter
in der Applikation benutzt werden.
<br>
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
<!-- Start Instructions -->
Das untenstehende Formular verlangt von Ihnen verschiedene Regeln beim Ausfüllen einzuhalten. Dies wird Client-seitig
überprüft. Versuchen Sie diese
Regeln zu brechen und senden Sie Daten an die Webseite die die Webseite nicht erwartet! <b> Sie müssen alle 7 Regeln
gleichzeitig brechen! </b>
<!-- Stop Instructions -->

17
main/project/WebContent/lesson_plans/German/LogSpoofing.html Normal file
View File

@ -0,0 +1,17 @@
<div align="Center">
<p><b>Lehrplan:</b> Fälschen von Einträgen in Log Dateien (Log Spoofing) </p>
</div>
<p><b>Konzept:</b> </p>
<p>
Log-Einträge in Log-Dateien müssen nicht immer von tatsächlichen Ereignissen stammen. Ein Angreifer kann durch Einschleusen
bestimmter Einträge das Eintreten bestimmter Ereignisse vortäuschen und dadurch den Administrator zu unnötigen bzw. voreiligen
Handlungen verleiten bzw. ihn einfach nur verwirren.
</p>
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
<!-- Start Instructions -->
* Der graue Bereich steht für das was tatsächlich in der Log-Datei des Webservers erscheint.<br>
* Ihr Ziel ist es so aussehen zu lassen, als hätte sich der Benutzer "admin" erfolgreich eingeloggt.<br/>
* Verbessern Sie Ihren Angriff, indem Sie ein Skript (Javascript) in das Log schreiben.
<!-- Stop Instructions -->

11
main/project/WebContent/lesson_plans/German/PathBasedAccessControl.html Normal file
View File

@ -0,0 +1,11 @@
<div align="Center">
<p><b>Lehrplan:</b> Umgehen eines Pfad-basierten Zugangskontrollschemas</p>
</div>
<p><b>Konzept:</b> </p>
<!-- Start Instructions -->
In einem Pfad-basierten Zugangangskontrollschemas (path based access control scheme), kann ein Angreifer den Pfad "bewandern" indem
er relative Pfadangaben übergibt. Dadurch kann der Angreifer auf Dateien zugreifen, die für niemanden zugänglich sind, bzw. zu denen
der Zugang bei direkter Anfrage ansonsten abgelehnt würde.
<!-- Stop Instructions -->
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
Sie sollten in der Lage sein auf eine Datei zuzugreifen die sich nicht im aufgelisteten Verzeichnis befindet.

19
main/project/WebContent/lesson_plans/German/ReflectedXSS.html Normal file
View File

@ -0,0 +1,19 @@
<div align="Center">
<p><b>Lehrplan: </b>Cross Site Scripting (XSS)</p>
</div>
<p><b>Konzept:</b> </p>
Jegliche Eingabedaten sollten auf der Serverseite überprüft werden.
XSS passiert wenn nicht geprüfte Benutereingaben in eine HTTP Response eingebaut werden.
Bei einem reflektierten XSS Angriff, kann ein Angreifer eine URL erzeugen die ein Angriffsskript enthält und kann diese
URL auf einer Webseite hinterlegen, sie per Email verschicken oder ein Opfer auf eine andere Weise dazu bringen die
URL zu besuchen.
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
Ihre Aufgabe ist es, sich ein Stück Javascript zu überlegen das Sie in diese Seite einbauen können.
Dann versuchen Sie die Seite dazu zu bringen, Ihnen dieses Skript wieder auszulieferen (es zu reflektieren)
so dass das Skript in Ihrem Browser ausgeführt wird.
<!-- Stop Instructions -->

16
main/project/WebContent/lesson_plans/German/RemoteAdminFlaw.html Normal file
View File

@ -0,0 +1,16 @@
<div align="Center">
<p><b>Lehrplan: </b>Zugang zu Web-Resourcen erzwingen</p>
</div>
<p><b>Konzept::</b> </p>
Applikationen haben oftmals eine Administrationsschnittstelle, das priviligierten Benutzern Zugang zu Funktionalität ermöglicht die
für normale Benutzer nicht sichtbar ist. Der Applikationsserver selbst hat auch oft noch eine seperate Administrationsschnittstelle.
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b>
<!-- Start Instructions -->
Versuchen Sie auf die Administrationsschnittstelle von WebGoat zuzugreifen. Sie können auch versuchen auf die Administrationsschnittstelle
von Tomcat (der Applikationsserver) zuzugreifen. Die Tomcat Schnittstelle kann über die URL /admin erreicht werden, zählt aber nicht
für das Bestehen dieser Lektion.
Wenn Sie Zugriff auf Funktionalität der Administrationsschnittstelle erlangt haben, dann kommen Sie hierher zurück um zu sehen ob Sie
die Lektion abgeschlossen haben.
<!-- Stop Instructions -->
</p>

18
main/project/WebContent/lesson_plans/German/SqlNumericInjection.html Normal file
View File

@ -0,0 +1,18 @@
<div align="Center">
<p><b>Lehrplan:</b> Durchführung von Numeric SQL Injection </p>
</div>
<p><b>Konzept:</b> </p>
SQL Injection Angriffe stellen eine ernstzunehmende Bedrohung für alle Datenbank-getriebenen Webseiten dar.
Entsprechende Angriffe sind leicht zu lernen und der verursachte Schaden ist schwer bzw. entspricht der
Kompromittierung des kompletten Systems.
Trotz dieses Gefahrenpotentials ist eine unglaubliche Anzahl von Systemen im Internet für diese Form des Angriffs verwundbar.
Dieser Angriff ist zwar leicht durchzuführen, allerdings ist er auch mit ein wenig gesundem Menschenverstand und Vorausdenken
leicht zu verhindern. Die anerkannte Vorgehensweise zur Verhinderung dieser Angriffstypen
besteht darin alle Eingabedaten zu säubern, insbesondere die Daten die in Betriebssystembefehlen,
Skripten und Datenbankabfragen eingebaut werden.
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
<!-- Start Instructions -->
Das untenstehende Formular ermöglicht es dem Benutzer Wetterdaten zu betrachten. Versuchen Sie einen SQL String einzuschleusen, der
als Resultat alle Wetterdaten anzeigt.
<!-- Stop Instructions -->

Some files were not shown because too many files have changed in this diff Show More