This patch contains the HTTP connector that intercepts the requests to the application and tries to communicate with OSG.

It also contains the DOM Injection lesson git-svn-id: http://webgoat.googlecode.com/svn/trunk@35 4033779f-a91e-0410-96ef-6bf7bf53c507
2006-12-16 22:39:14 +00:00
parent 80a2add2d7
commit 296254e279
7 changed files with 664 additions and 331 deletions
--- a/webgoat/main/project/WebContent/lesson_plans/DOMInjection.html
+++ b/webgoat/main/project/WebContent/lesson_plans/DOMInjection.html
@ -0,0 +1,22 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b>DOM Injection. </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+How to perform DOM injection attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+Some applications specially the ones that uses AJAX manipulates and updates the DOM
+directly using javascript, DHTML and eval.<br>
+An attacker may take advantage of that by intercepting the reply and try to inject some 
+javascript commands to exploit his attacks.
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+* Your victim is a system that takes an activatation key to allow you to use it.
+* Your goal should be to try to get to enable the activate button.<br>
+* Take some time to see the HTML source in order to understand how does it work.<br>
+<!-- Stop Instructions -->