#319

webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html

@@ -85,43 +85,4 @@
 		</div>
 	</div>
 
-	<div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
-	</div>
-
-    <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
-    </div>
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
-	</div>
-
-    <div class="lesson-page-wrapper">
-        <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
-        <div class="attack-container">
-            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
-                  method="POST"
-                  action="/WebGoat/HttpBasics/intercept-request"
-                  enctype="application/json;charset=UTF-8">
-
-                <input type="text" value="doesn't matter really" name="changeMe" />
-                <input type="submit" value="Submit" />
-
-            </form>
-            <div class="attack-feedback"></div>
-            <div class="attack-output"></div>
-        </div>
-    </div>
 </html>

webgoat-lessons/http-proxies/pom.xml

@@ -0,0 +1,12 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>http-proxies</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+
+</project>

webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java

@@ -0,0 +1,59 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.lessons.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/HttpProxies/intercept-request")
+public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
+
+	@RequestMapping(method = RequestMethod.GET)
+	public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException {
+		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
+            return trackProgress(AttackResult.success("Well done, you tampered the request as expected"));
+		} else {
+            return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!"));
+        }
+	}
+}

webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java

@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class HttpProxies extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.GENERAL;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 2;
+    }
+
+    @Override
+    public String getTitle() {
+        return "http-proxies.title";
+    }
+
+    @Override
+    public String getId() {
+        return "HttpProxies";
+    }
+}

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html

@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
+	</div>
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
+    </div>
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
+	</div>
+
+    <div class="lesson-page-wrapper">
+        <!-- stripped down without extra comments -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
+                  method="POST"
+                  action="/WebGoat/HttpBasics/intercept-request"
+                  enctype="application/json;charset=UTF-8">
+
+                <input type="text" value="doesn't matter really" name="changeMe" />
+                <input type="submit" value="Submit" />
+
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+</html>

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html

@@ -0,0 +1,29 @@
+<div align="Center"> 
+<p><b>Lehrplan:</b> Http Basics </p>
+ </div>
+ 
+<p><b>Lehrinhalt:</b> </p>
+ Diese Lektion stellt die Verst&auml;ndnis-Grundlagen f&uuml;r den Datentransport zwischen Browser und Webapplikation dar.<br>
+<div align="Left"> 
+<p>
+<b>So funktioniert HTTP:</b>
+</p>
+Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem Körper.
+Der Client initiiert eine Transaktion wie folgt:<br>
+<br>
+ Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
+</div>
+  <br>
+<ul>GET /index.html?param=value HTTP/1.0</ul>
+ Als n&auml;chstes sendet der Client optionale Kopfzeilen (Header) um den Server &uuml;ber die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
+ <br>
+<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
+Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
+<br>
+<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
+<!-- Start Instructions -->
+Geben Sie Ihren Namen in das Eingabefeld ein und drücken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zurückschicken. Dies stellt eine vollst&auml;ndige HTTP Transaktion dar!
+<br/><br/>
+Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Knöpfe f&uuml;r Hinweise (Hints), f&uuml;r das Anzeigen von Parametern(Parameters) oder Cookies und f&uuml;r das Anzeigen von Java-Quellcode ausprobiert werden.
+Außerdem, k&ouml;nnen Sie hier WebScarab gut ausprobieren. 
+<!-- Stop Instructions -->

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntercept.adoc

@@ -2,14 +2,14 @@
 
 To incercept a request, you start by clicking the green button. This will set a break point for the next request.
 
-image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
+image::plugin_lessons/plugin/HttpProxies/images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
 
 NOTE: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
 That's part of what hackers do ... explore!
 
 Once you are interecepting requests and  a request is made, it should look something like this:
 
-image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"]
+image::plugin_lessons/plugin/HttpProxies/images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"]
 
 === Intercept and modify a request
 

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc

@@ -17,7 +17,7 @@ Once you have 'installed' ZAP (you don't really install it, just unpack it and r
 === Start ZAP
 When ZAP starts, you will be presented with a dialog such as the one below ...
 
-image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
+image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
 
 === Configure Proxy's Port
 
@@ -26,5 +26,5 @@ image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,s
 . Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
 . Click OK
 
-image::plugin_lessons/plugin/HttpBasics/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
+image::plugin_lessons/plugin/HttpProxies/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
 

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc

@@ -16,7 +16,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
 .. input *8090* as the port
 .. check the _Use this proxy server for all protocols_ checkbox
 
-image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
+image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
 
 ==== Chrome Proxy Config
 
@@ -28,4 +28,4 @@ image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox
 . Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
 . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
 
-image::plugin_lessons/plugin/HttpBasics/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
+image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro3.adoc

@@ -3,4 +3,4 @@
 You should now be able to browse somewhere. We suggest starting with a plain http host.
 If it's working, ZAP's history tab will start to look something like this.
 
-image::plugin_lessons/plugin/HttpBasics/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]
+image::plugin_lessons/plugin/HttpProxies/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html

@@ -0,0 +1,33 @@
+<div align="Center"> 
+<p><b>Название урока:</b> Основы Http </p>
+ </div>
+ 
+<p><b>Тема изучения:</b> </p>
+В данном уроке представлены основы необходимые для понимания процесса передачи данных между браузером и веб-приложением.<br>
+<div align="Left"> 
+<p>
+<b>Как работает HTTP:</b>
+</p>
+Все обращения по протоколу HTTP имеют один основной формат. Кажный запрос клиента или ответ сервера состоит из трёх частей:
+строка запроса или ответа, заголовок и тело. Клиент начинает предачу данных следующим образом: <br>
+<br>
+ Он соединяется с сервером и отправляет запрос для получения документа <br>
+</div>
+  <br>
+<ul>GET /index.html?param=value HTTP/1.0</ul>
+Далее он шлёт различную информацию в разделе заголовка чтоб уведомить сервер о своей конфигурации и возможностях
+(например какие кодировки и типы документов поддерживаются клиентом).<br>
+ <br>
+<ul>User-Agent: Mozilla/4.06<br />Accept: image/gif,image/jpeg, */*</ul>
+После отправки запроса и заголовков клиент может отправить дополнительные данные. Они в большинстве случаев
+предназначаются для CGI-программ использующих метод POST для принятия информации.<br>
+<p><b>Основные цели и задачи:</b> </p>
+<!-- Start Instructions -->
+Введите ваше имя в поле расположенное ниже и нажмите "Вперёд!" для отправки формы. Сервер примет ваш запрос, выстроит
+полученную строку в обратном порядке и выведет результат на экран. Данный пример иллюстрирует основы обработки данных
+полученных из HTTP-запроса.
+<br/><br/>
+Пользователю необходимо ознакомится с использованием функций WebGoat, таких как просмотр подсказок, отображение параметров HTTP-запроса, 
+отображение Cookies и исходных кодов Java. Первое время, в качестве практики, для просмотра параметров и Cookies
+запросов вы можете использовать WebScarab.
+<!-- Stop Instructions -->

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc

@@ -0,0 +1,5 @@
+= HTTP Basics 
+ 
+== Solution 
+
+Solution goes here

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this block for each 'page' of content -->
+		<!-- include content here ... will be first page/tab  multiple -->
+		<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
+	</div>
+
+
+</html>

webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -0,0 +1,15 @@
+http-basics.EnterYourName=Enter your Name
+http-basics.Go!=Go!
+http-proxies.title=HTTP Proxies
+
+
+http-basics.hints.http_basics_lesson.1=Type in your name and press 'go'
+http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features
+http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>
+
+
+http-basics.reversed=The server has reversed your name: {0}
+
+http-basics.close=You are close, try again: {0}
+http-basics.incorrect=the HTTP Command is incorrect.
+http-basics.magic=the magic number is incorrect.

webgoat-lessons/pom.xml

@@ -17,6 +17,7 @@
         <module>client-side-filtering</module>
         <module>cross-site-scripting</module>
         <module>http-basics</module>
+        <module>http-proxies</module>
         <module>sql-injection</module>
         <module>xxe</module>
         <module>idor</module>