Build cleanup in order to create a complete developer distribution. More menu cleanup

git-svn-id: http://webgoat.googlecode.com/svn/trunk@217 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-01-03 21:09:17 +00:00 · 2008-01-03 21:09:17 +00:00 · 23e7fe1f4f
commit 23e7fe1f4f
parent f6e0cb7ed0
9 changed files with 88 additions and 43 deletions
--- a/webgoat/main/HOW
+++ b/webgoat/main/HOW
@ -125,24 +125,6 @@ in "Server Overview" window
    NOTE: In developer mode you may want to leave this checked
 Rename the web.xml file:
    a. Delete the web.xml file located at
       <webgoat-root>/project/WebContent/WEB-INF/web.xml
    b. Copy the appropriate web-*.xml as the new web.xml
 	Windows:
 	copy <webgoat-root>/project/WebContent/WEB-INF/web-windows.xml to
 	     <webgoat-root>/project/WebContent/WEB-INF/web.xml
 	Unix:
 	copy <webgoat-root>/project/WebContent/WEB-INF/web-unix.xml to
 	     <webgoat-root>/project/WebContent/WEB-INF/web.xml
 Right click on Tomcat v5.5 Sever@localhost ->Start
--- a/webgoat/main/build.xml
+++ b/webgoat/main/build.xml
@ -293,7 +293,9 @@
 		<!-- Build the CD image -->
 		<zip destfile="${dist.home}/${ant.project.name}.zip">
 			<zipfileset dir="." prefix="${install.home}"
-				includes="eclipse/, java/, project/, paros/, tomcat/, webscarab/, eclipse.bat, webgoat.bat, webgoat_8080.bat, webscarab.bat"
+				includes="eclipse/, java/, project/, FirefoxPortable/, Paros/, tomcat/, webscarab/, 
 				          eclipse.bat, webgoat.bat, webgoat_8080.bat, webscarab.bat,
 						  *.txt, Eclipse-Workspace.zip"
 				excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
 		</zip>
 	</target> 	
@ -312,7 +314,7 @@
 		<!-- Build the CD image -->
 		<zip destfile="${dist.home}/${ant.project.name}.zip">
 			<zipfileset dir="." prefix="${install.home}"
-				includes="java/, tomcat/, paros/, webscarab/, webgoat.bat, webgoat_8080.bat, webscarab.bat"
+				includes="java/, tomcat/, FirefoxPortable/, Paros/, webscarab/, webgoat.bat, webgoat_8080.bat, webscarab.bat"
 				excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
 		</zip>
 	</target> 	
--- a/webgoat/main/eclipse.bat
+++ b/webgoat/main/eclipse.bat
@ -1,7 +1,28 @@
-set JAVAHOME= C:\Program Files\Java\jdk1.5.0_08
+ECHO OFF
 IF NOT EXIST workspace GOTO UNPACK
 set JAVAHOME= java
 set PATH=%JAVAHOME%\bin;%PATH%
-set ECLIPSE_HOME= C:\webgoat\tools\eclipse
+set ECLIPSE_HOME= eclipse
 SET JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx768m
 %ECLIPSE_HOME%\eclipse.exe -data .\workspace
 GOTO END
 :UNPACK
 ECHO *
 ECHO *
 ECHO *
 ECHO *
 ECHO *   ERROR -- eclipse workspace is missing
 ECHO *
 ECHO *
 ECHO *
 ECHO *
 ECHO *   Use winzip to unzip Eclipse-Workspace.zip
 ECHO *
 ECHO *
 ECHO *
 PAUSE
 :END
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
@ -7,7 +7,9 @@ import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
 import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.P;
+import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
@ -77,19 +79,37 @@ public class AccessControlMatrix extends LessonAdapter
 		    String user = s.getParser().getRawParameter(USER, users[0]);
 		    String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
 		    String credentials = getRoles(user).toString();
-		    ec.addElement(new P().addElement("Change user:"));
+			
-		    ec.addElement(ECSFactory.makePulldown(USER, users, user, 1));
+		    Table t = new Table().setCellSpacing(0).setCellPadding(2)
-		    ec.addElement(new P());
+			.setBorder(0).setWidth("90%").setAlign("center");
    		if (s.isColor())
    		{
    		    t.setBorder(1);
    		}
    		TR tr = new TR();
 		    tr.addElement(new TD().addElement("Change user:"));
 		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, user, 1)));
 		    t.addElement(tr);
 		    // These two lines would allow the user to select the resource from a  list
 		    // Didn't seem right to me so I made them type it in.
 		    //	ec.addElement( new P().addElement( "Choose a resource:" ) );
 		    //	ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
-		    ec.addElement(new P().addElement("Select resource: "));
+    		tr = new TR();
-		    ec.addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1));
+		    tr.addElement(new TD().addElement("Select resource: "));
 		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)));
 		    t.addElement(tr);
-		    ec.addElement(new P());
+    		tr = new TR();
-		    ec.addElement(ECSFactory.makeButton("Check Access"));
+		    tr.addElement(new TD("&nbsp;").setColSpan(2).setAlign("center"));
 		    t.addElement(tr);
    		tr = new TR();
 		    tr.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
 		    t.addElement(tr);
 		    ec.addElement(t);
 		    if (isAllowed(user, resource))
 		    {
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
@ -278,7 +278,7 @@ public class CSRF extends LessonAdapter {
 	@Override	
 	protected Category getDefaultCategory() {
-		return Category.ACCESS_CONTROL;
+		return Category.XSS;
 	}
 	private final static Integer DEFAULT_RANKING = new Integer(120);
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
@ -288,7 +288,7 @@ public class CrossSiteScripting extends GoatHillsFinancial
     */
    public String getTitle()
    {
-	return "LAB: Cross Site Scripting (XSS)";
+	return "LAB: Cross Site Scripting";
    }
 	public String htmlEncode(WebSession s, String text)
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
@ -228,7 +228,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
 	 */
 	protected Category getDefaultCategory()
 	{
-		return Category.AUTHENTICATION;
+		return Category.SESSION_MANAGEMENT;
 	}
 	/**
--- a/webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
+++ b/webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
@ -1,9 +1,25 @@
 <div align="Center">
 <p><b>Lesson Plan Title:</b> HttpOnly Test</p>
 </div>
-<p><b>Concept / Topic To Teach:</b> </p>
+<p><b>Concept / Topic To Teach:</b></p>
 <!-- Start Instructions -->
-To help mitigate the cross site scripting threat, Microsoft has introduced a new cookie attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side script to access the cookie. Since the attribute is relatively new, several browsers neglect to handle the new attribute properly.
+To help mitigate the cross site scripting threat, Microsoft has
-<p><b>General Goal(s):</b> </p>
+introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
-The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly, and you enable it for a cookie, client side code should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. Some browsers only prevent client side read access, but don't prevent write access.
+set, then the browser should not allow client-side script to access the
 cookie. Since the attribute is relatively new, several browsers neglect
 to handle the new attribute properly.
 <p><b>General Goal(s):</b></p>
 The purpose of this lesson is to test whether your browser supports the
 HTTPOnly cookie flag. Note the value of the
 <strong>unique2u</strong>
 cookie. If your browser supports HTTPOnly, and you enable it for a
 cookie, client side code should NOT be able to read OR write to that
 cookie, but the browser can still send its value to the server. Some
 browsers only prevent client side read access, but don't prevent write
 access.
 <br />
 <br />
 With the HTTPOnly attribute turned on, type
 "javascript:alert(document.cookie)" in the browser address bar. Notice
 all cookies are displayed except the unique2u cookie.
 <!-- Stop Instructions -->
--- a/webgoat/main/project/build.xml
+++ b/webgoat/main/project/build.xml
@ -226,6 +226,7 @@
 	<!-- Copying the Java source code into the build directory -->
 	<!-- We must also copy the source into WebContent, since WTP will overwrite the 
 		app as it was deployed from the WAR. -->
 	<!-- We must also copy the doc dir into WebContent, for the "how to create a new lesson" lesson -->
 	<target name="-CopySourceToBuild" depends="prepare" >
 		<copy todir="${build.home}/JavaSource">
 			<fileset dir="${basedir}/JavaSource"/>
@ -233,6 +234,9 @@
 		<copy todir="${web.home}/JavaSource">
 			<fileset dir="${basedir}/JavaSource"/>
 		</copy>
 		<copy todir="${web.home}/doc">
 			<fileset dir="${basedir}/doc"/>
 		</copy>
 	</target>
 	<!-- Copying web-unix.xml to web.xml -->