Build cleanup in order to create a complete developer distribution. More menu cleanup

git-svn-id: http://webgoat.googlecode.com/svn/trunk@217 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-01-03 21:09:17 +00:00 · 2008-01-03 21:09:17 +00:00 · 23e7fe1f4f
commit 23e7fe1f4f
parent f6e0cb7ed0
9 changed files with 88 additions and 43 deletions
--- a/webgoat/main/HOW
+++ b/webgoat/main/HOW
@ -125,24 +125,6 @@ in "Server Overview" window
    NOTE: In developer mode you may want to leave this checked


-Rename the web.xml file:
-
-    a. Delete the web.xml file located at
-       <webgoat-root>/project/WebContent/WEB-INF/web.xml
-
-    b. Copy the appropriate web-*.xml as the new web.xml
-
-	Windows:
-	
-	copy <webgoat-root>/project/WebContent/WEB-INF/web-windows.xml to
-	     <webgoat-root>/project/WebContent/WEB-INF/web.xml
-
-
-	Unix:
-
-	copy <webgoat-root>/project/WebContent/WEB-INF/web-unix.xml to
-	     <webgoat-root>/project/WebContent/WEB-INF/web.xml
-

 Right click on Tomcat v5.5 Sever@localhost ->Start

--- a/webgoat/main/build.xml
+++ b/webgoat/main/build.xml
@ -293,7 +293,9 @@
 		<!-- Build the CD image -->
 		<zip destfile="${dist.home}/${ant.project.name}.zip">
 			<zipfileset dir="." prefix="${install.home}"
-				includes="eclipse/, java/, project/, paros/, tomcat/, webscarab/, eclipse.bat, webgoat.bat, webgoat_8080.bat, webscarab.bat"
+				includes="eclipse/, java/, project/, FirefoxPortable/, Paros/, tomcat/, webscarab/, 
+				          eclipse.bat, webgoat.bat, webgoat_8080.bat, webscarab.bat,
+						  *.txt, Eclipse-Workspace.zip"
 				excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
 		</zip>
 	</target> 	
@ -312,7 +314,7 @@
 		<!-- Build the CD image -->
 		<zip destfile="${dist.home}/${ant.project.name}.zip">
 			<zipfileset dir="." prefix="${install.home}"
-				includes="java/, tomcat/, paros/, webscarab/, webgoat.bat, webgoat_8080.bat, webscarab.bat"
+				includes="java/, tomcat/, FirefoxPortable/, Paros/, webscarab/, webgoat.bat, webgoat_8080.bat, webscarab.bat"
 				excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
 		</zip>
 	</target> 	
--- a/webgoat/main/eclipse.bat
+++ b/webgoat/main/eclipse.bat
@ -1,7 +1,28 @@
-set JAVAHOME= C:\Program Files\Java\jdk1.5.0_08
+ECHO OFF
+IF NOT EXIST workspace GOTO UNPACK
+set JAVAHOME= java
 set PATH=%JAVAHOME%\bin;%PATH%
-set ECLIPSE_HOME= C:\webgoat\tools\eclipse
+set ECLIPSE_HOME= eclipse
 SET JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx768m

 %ECLIPSE_HOME%\eclipse.exe -data .\workspace
+GOTO END
+
+:UNPACK
+ECHO *
+ECHO *
+ECHO *
+ECHO *
+ECHO *   ERROR -- eclipse workspace is missing
+ECHO *
+ECHO *
+ECHO *
+ECHO *
+ECHO *   Use winzip to unzip Eclipse-Workspace.zip
+ECHO *
+ECHO *
+ECHO *
+PAUSE
+
+:END

--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
@ -7,7 +7,9 @@ import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
 import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.P;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;

@ -77,19 +79,37 @@ public class AccessControlMatrix extends LessonAdapter
 		    String user = s.getParser().getRawParameter(USER, users[0]);
 		    String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
 		    String credentials = getRoles(user).toString();
-		    ec.addElement(new P().addElement("Change user:"));
-		    ec.addElement(ECSFactory.makePulldown(USER, users, user, 1));
-		    ec.addElement(new P());
+			
+		    Table t = new Table().setCellSpacing(0).setCellPadding(2)
+			.setBorder(0).setWidth("90%").setAlign("center");
+
+    		if (s.isColor())
+    		{
+    		    t.setBorder(1);
+    		}
+
+    		TR tr = new TR();
+		    tr.addElement(new TD().addElement("Change user:"));
+		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, user, 1)));
+		    t.addElement(tr);
 	
 		    // These two lines would allow the user to select the resource from a  list
 		    // Didn't seem right to me so I made them type it in.
 		    //	ec.addElement( new P().addElement( "Choose a resource:" ) );
 		    //	ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
-		    ec.addElement(new P().addElement("Select resource: "));
-		    ec.addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1));
+    		tr = new TR();
+		    tr.addElement(new TD().addElement("Select resource: "));
+		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)));
+		    t.addElement(tr);
 	
-		    ec.addElement(new P());
-		    ec.addElement(ECSFactory.makeButton("Check Access"));
+    		tr = new TR();
+		    tr.addElement(new TD("&nbsp;").setColSpan(2).setAlign("center"));
+		    t.addElement(tr);
+		    
+    		tr = new TR();
+		    tr.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
+		    t.addElement(tr);
+		    ec.addElement(t);
 		    
 		    if (isAllowed(user, resource))
 		    {
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
@ -278,7 +278,7 @@ public class CSRF extends LessonAdapter {

 	@Override	
 	protected Category getDefaultCategory() {
-		return Category.ACCESS_CONTROL;
+		return Category.XSS;
 	}

 	private final static Integer DEFAULT_RANKING = new Integer(120);
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
@ -288,7 +288,7 @@ public class CrossSiteScripting extends GoatHillsFinancial
     */
    public String getTitle()
    {
-	return "LAB: Cross Site Scripting (XSS)";
+	return "LAB: Cross Site Scripting";
    }

 	public String htmlEncode(WebSession s, String text)
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
@ -228,7 +228,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
 	 */
 	protected Category getDefaultCategory()
 	{
-		return Category.AUTHENTICATION;
+		return Category.SESSION_MANAGEMENT;
 	}

 	/**
--- a/webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
+++ b/webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
@ -1,9 +1,25 @@
 <div align="Center">
 <p><b>Lesson Plan Title:</b> HttpOnly Test</p>
 </div>
-<p><b>Concept / Topic To Teach:</b> </p>
+<p><b>Concept / Topic To Teach:</b></p>
 <!-- Start Instructions -->
-To help mitigate the cross site scripting threat, Microsoft has introduced a new cookie attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side script to access the cookie. Since the attribute is relatively new, several browsers neglect to handle the new attribute properly.
-<p><b>General Goal(s):</b> </p>
-The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly, and you enable it for a cookie, client side code should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. Some browsers only prevent client side read access, but don't prevent write access.
+To help mitigate the cross site scripting threat, Microsoft has
+introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
+set, then the browser should not allow client-side script to access the
+cookie. Since the attribute is relatively new, several browsers neglect
+to handle the new attribute properly.
+<p><b>General Goal(s):</b></p>
+The purpose of this lesson is to test whether your browser supports the
+HTTPOnly cookie flag. Note the value of the
+<strong>unique2u</strong>
+cookie. If your browser supports HTTPOnly, and you enable it for a
+cookie, client side code should NOT be able to read OR write to that
+cookie, but the browser can still send its value to the server. Some
+browsers only prevent client side read access, but don't prevent write
+access.
+<br />
+<br />
+With the HTTPOnly attribute turned on, type
+"javascript:alert(document.cookie)" in the browser address bar. Notice
+all cookies are displayed except the unique2u cookie.
 <!-- Stop Instructions -->
--- a/webgoat/main/project/build.xml
+++ b/webgoat/main/project/build.xml
@ -226,6 +226,7 @@
 	<!-- Copying the Java source code into the build directory -->
 	<!-- We must also copy the source into WebContent, since WTP will overwrite the 
 		app as it was deployed from the WAR. -->
+	<!-- We must also copy the doc dir into WebContent, for the "how to create a new lesson" lesson -->
 	<target name="-CopySourceToBuild" depends="prepare" >
 		<copy todir="${build.home}/JavaSource">
 			<fileset dir="${basedir}/JavaSource"/>
@ -233,6 +234,9 @@
 		<copy todir="${web.home}/JavaSource">
 			<fileset dir="${basedir}/JavaSource"/>
 		</copy>
+		<copy todir="${web.home}/doc">
+			<fileset dir="${basedir}/doc"/>
+		</copy>
 	</target>

 	<!-- Copying web-unix.xml to web.xml -->