| @ -60,8 +60,8 @@ import org.slf4j.LoggerFactory; | ||||
|  * | ||||
|  * Getting Source ============== | ||||
|  * | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository | ||||
|  * for free software projects. | ||||
|  * Source for this application is maintained at | ||||
|  * https://github.com/WebGoat/WebGoat, a repository for free software projects. | ||||
|  * | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  * | ||||
| @ -70,7 +70,7 @@ import org.slf4j.LoggerFactory; | ||||
|  */ | ||||
| public abstract class AbstractLesson extends Screen implements Comparable<Object> { | ||||
|  | ||||
|     final Logger logger = LoggerFactory.getLogger(AbstractLesson.class); | ||||
|     private static final Logger logger = LoggerFactory.getLogger(AbstractLesson.class); | ||||
|  | ||||
|     /** | ||||
|      * Description of the Field | ||||
| @ -114,7 +114,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object | ||||
|  | ||||
|     private LinkedList<String> availableLanguages = new LinkedList<String>(); | ||||
|  | ||||
|     private String defaultLanguage = "English"; | ||||
|     private String defaultLanguage = "en"; | ||||
|  | ||||
|     /** | ||||
|      * Constructor for the Lesson object | ||||
| @ -612,6 +612,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object | ||||
|      * @return | ||||
|      */ | ||||
|     public boolean isAuthorized(WebSession s, String role, String functionId) { | ||||
|         logger.info("Checking if " + role + " authorized for: " + functionId); | ||||
|         boolean authorized = false; | ||||
|         try { | ||||
|             String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'"; | ||||
| @ -620,13 +621,14 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object | ||||
|                         .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); | ||||
|                 ResultSet answer_results = answer_statement.executeQuery(query); | ||||
|                 authorized = answer_results.first(); | ||||
|                 logger.info("authorized: "+ authorized); | ||||
|             } catch (SQLException sqle) { | ||||
|                 s.setMessage("Error authorizing"); | ||||
|                 sqle.printStackTrace(); | ||||
|                 logger.error("Error authorizing", sqle); | ||||
|             } | ||||
|         } catch (Exception e) { | ||||
|             s.setMessage("Error authorizing"); | ||||
|             e.printStackTrace(); | ||||
|             logger.error("Error authorizing", e); | ||||
|         } | ||||
|         return authorized; | ||||
|     } | ||||
|  | ||||
| @ -210,7 +210,12 @@ public class Challenge2Screen extends SequentialLessonAdapter | ||||
|                 .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); | ||||
|  | ||||
|         // pull the USER_COOKIE from the cookies | ||||
|         String cookie = URLDecoder.decode(getCookie(s),"utf-8"); | ||||
|         String cookie = getCookie(s); | ||||
|         if (null == cookie) { | ||||
|         	cookie = ""; | ||||
|         } else { | ||||
|         	cookie = URLDecoder.decode(cookie,"utf-8"); | ||||
|         } | ||||
|          | ||||
|         String user = Encoding.base64Decode(cookie); | ||||
|         String query = "SELECT * FROM user_data WHERE last_name = '" + user + "'"; | ||||
| @ -606,7 +611,7 @@ public class Challenge2Screen extends SequentialLessonAdapter | ||||
|      */ | ||||
|     public String getTitle() | ||||
|     { | ||||
|         return ("The CHALLENGE!"); | ||||
|         return ("The CHALLENGE"); | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|  | ||||
| @ -123,7 +123,7 @@ public class CommandInjection extends LessonAdapter | ||||
|                     illegalCommand = false; | ||||
|                 } | ||||
|             } | ||||
|             File safeDir = new File(s.getContext().getRealPath("/lesson_plans/English")); | ||||
|             File safeDir = new File(s.getContext().getRealPath("/lesson_plans/en")); | ||||
|  | ||||
|             ec.addElement(new StringElement(WebGoatI18N.get("YouAreCurrentlyViewing")+"<b>" | ||||
|                     + (helpFile.toString().length() == 0 ? "<"+WebGoatI18N.get("SelectFileFromListBelow")+">" : helpFile.toString()) | ||||
|  | ||||
| @ -106,7 +106,7 @@ public class JSONInjection extends LessonAdapter | ||||
|     protected Element createContent(WebSession s) | ||||
|     { | ||||
|         ElementContainer ec = new ElementContainer(); | ||||
|         String lineSep = System.getProperty("line.separator"); | ||||
|         String lineSep = System.getProperty("line.separator");  | ||||
|         String script = "<script>" | ||||
|                 + lineSep | ||||
|                 + "function getFlights() {" | ||||
| @ -192,11 +192,11 @@ public class JSONInjection extends LessonAdapter | ||||
|  | ||||
|                 "function check(){" | ||||
|                 + lineSep | ||||
|                 + " if ( document.getElementById('radio0').checked  )" | ||||
|                 + " if ( document.getElementById('radio0') && document.getElementById('radio0').checked  )" | ||||
|                 + lineSep | ||||
|                 + " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}" | ||||
|                 + lineSep | ||||
|                 + " else if ( document.getElementById('radio1').checked  )" | ||||
|                 + " else if ( document.getElementById('radio1') && document.getElementById('radio1').checked  )" | ||||
|                 + lineSep | ||||
|                 + " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}" | ||||
|                 + lineSep + " else " + lineSep + " { alert('Please choose one flight'); return false;}" + lineSep + "}" | ||||
|  | ||||
| @ -67,7 +67,7 @@ public class PathBasedAccessControl extends LessonAdapter | ||||
|  | ||||
|         try | ||||
|         { | ||||
|             String dir = s.getContext().getRealPath("/lesson_plans/English"); | ||||
|             String dir = s.getContext().getRealPath("/lesson_plans/en"); | ||||
|             File d = new File(dir); | ||||
|  | ||||
|             Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center"); | ||||
|  | ||||
| @ -1,28 +1,31 @@ | ||||
| /*************************************************************************************************** | ||||
|  *  | ||||
|  *  | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, | ||||
|  * please see http://www.owasp.org/ | ||||
|  *  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
|  * | ||||
|  * | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project | ||||
|  * utility. For details, please see http://www.owasp.org/ | ||||
|  * | ||||
|  * Copyright (c) 2002 - 20014 Bruce Mayhew | ||||
|  *  | ||||
|  * This program is free software; you can redistribute it and/or modify it under the terms of the | ||||
|  * GNU General Public License as published by the Free Software Foundation; either version 2 of the | ||||
|  * License, or (at your option) any later version. | ||||
|  *  | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without | ||||
|  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||||
|  * General Public License for more details. | ||||
|  *  | ||||
|  * You should have received a copy of the GNU General Public License along with this program; if | ||||
|  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||||
|  * 02111-1307, USA. | ||||
|  *  | ||||
|  * | ||||
|  * This program is free software; you can redistribute it and/or modify it under | ||||
|  * the terms of the GNU General Public License as published by the Free Software | ||||
|  * Foundation; either version 2 of the License, or (at your option) any later | ||||
|  * version. | ||||
|  * | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT | ||||
|  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||||
|  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||||
|  * details. | ||||
|  * | ||||
|  * You should have received a copy of the GNU General Public License along with | ||||
|  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple | ||||
|  * Place - Suite 330, Boston, MA 02111-1307, USA. | ||||
|  * | ||||
|  * Getting Source ============== | ||||
|  *  | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software | ||||
|  * projects. | ||||
|  *  | ||||
|  * | ||||
|  * Source for this application is maintained at | ||||
|  * https://github.com/WebGoat/WebGoat, a repository for free software projects. | ||||
|  * | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  */ | ||||
| package org.owasp.webgoat.lessons.model; | ||||
| @ -40,7 +43,9 @@ public class LessonMenuItem { | ||||
|     private LessonMenuItemType type; | ||||
|     private List<LessonMenuItem> children = new ArrayList<LessonMenuItem>(); | ||||
|     private boolean complete; | ||||
|     private String link;    | ||||
|     private String link; | ||||
|     private boolean showSource = true; | ||||
|     private boolean showHints = true; | ||||
|  | ||||
|     /** | ||||
|      * @return the name | ||||
| @ -124,4 +129,32 @@ public class LessonMenuItem { | ||||
|         this.link = link; | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * @return the showSource | ||||
|      */ | ||||
|     public boolean isShowSource() { | ||||
|         return showSource; | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * @param showSource the showSource to set | ||||
|      */ | ||||
|     public void setShowSource(boolean showSource) { | ||||
|         this.showSource = showSource; | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * @return the showHints | ||||
|      */ | ||||
|     public boolean isShowHints() { | ||||
|         return showHints; | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * @param showHints the showHints to set | ||||
|      */ | ||||
|     public void setShowHints(boolean showHints) { | ||||
|         this.showHints = showHints; | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -34,7 +34,6 @@ import java.io.PrintWriter; | ||||
| import java.io.StringWriter; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import javax.servlet.http.HttpSession; | ||||
| import org.owasp.webgoat.controller.Welcome; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.slf4j.Logger; | ||||
| import org.slf4j.LoggerFactory; | ||||
| @ -51,7 +50,7 @@ import org.springframework.web.bind.annotation.ResponseStatus; | ||||
| @RequestMapping("/service") | ||||
| public abstract class BaseService { | ||||
|  | ||||
|     final Logger logger = LoggerFactory.getLogger(BaseService.class); | ||||
|     private static final Logger logger = LoggerFactory.getLogger(BaseService.class); | ||||
|  | ||||
|     @ExceptionHandler(Exception.class) | ||||
|     @ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT) | ||||
|  | ||||
| @ -1,28 +1,31 @@ | ||||
| /*************************************************************************************************** | ||||
|  *  | ||||
|  *  | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, | ||||
|  * please see http://www.owasp.org/ | ||||
|  *  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
|  * | ||||
|  * | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project | ||||
|  * utility. For details, please see http://www.owasp.org/ | ||||
|  * | ||||
|  * Copyright (c) 2002 - 20014 Bruce Mayhew | ||||
|  *  | ||||
|  * This program is free software; you can redistribute it and/or modify it under the terms of the | ||||
|  * GNU General Public License as published by the Free Software Foundation; either version 2 of the | ||||
|  * License, or (at your option) any later version. | ||||
|  *  | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without | ||||
|  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||||
|  * General Public License for more details. | ||||
|  *  | ||||
|  * You should have received a copy of the GNU General Public License along with this program; if | ||||
|  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||||
|  * 02111-1307, USA. | ||||
|  *  | ||||
|  * | ||||
|  * This program is free software; you can redistribute it and/or modify it under | ||||
|  * the terms of the GNU General Public License as published by the Free Software | ||||
|  * Foundation; either version 2 of the License, or (at your option) any later | ||||
|  * version. | ||||
|  * | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT | ||||
|  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||||
|  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||||
|  * details. | ||||
|  * | ||||
|  * You should have received a copy of the GNU General Public License along with | ||||
|  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple | ||||
|  * Place - Suite 330, Boston, MA 02111-1307, USA. | ||||
|  * | ||||
|  * Getting Source ============== | ||||
|  *  | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software | ||||
|  * projects. | ||||
|  *  | ||||
|  * | ||||
|  * Source for this application is maintained at | ||||
|  * https://github.com/WebGoat/WebGoat, a repository for free software projects. | ||||
|  * | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  */ | ||||
| package org.owasp.webgoat.service; | ||||
| @ -37,6 +40,8 @@ import org.owasp.webgoat.lessons.model.LessonMenuItem; | ||||
| import org.owasp.webgoat.lessons.model.LessonMenuItemType; | ||||
| import org.owasp.webgoat.session.Course; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.slf4j.Logger; | ||||
| import org.slf4j.LoggerFactory; | ||||
| import org.springframework.stereotype.Controller; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| @ -48,6 +53,8 @@ import org.springframework.web.bind.annotation.ResponseBody; | ||||
| @Controller | ||||
| public class LessonMenuService extends BaseService { | ||||
|  | ||||
|     private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class); | ||||
|  | ||||
|     /** | ||||
|      * Returns the lesson menu which is used to build the left nav | ||||
|      * | ||||
| @ -69,6 +76,8 @@ public class LessonMenuService extends BaseService { | ||||
|             categoryItem.setType(LessonMenuItemType.CATEGORY); | ||||
|             // check for any lessons for this category | ||||
|             List<AbstractLesson> lessons = ws.getLessons(category); | ||||
|             String role = ws.getRole(); | ||||
|             logger.info("Role: " + role); | ||||
|             for (AbstractLesson lesson : lessons) { | ||||
|                 LessonMenuItem lessonItem = new LessonMenuItem(); | ||||
|                 lessonItem.setName(lesson.getTitle()); | ||||
| @ -77,6 +86,21 @@ public class LessonMenuService extends BaseService { | ||||
|                 if (lesson.isCompleted(ws)) { | ||||
|                     lessonItem.setComplete(true); | ||||
|                 } | ||||
|                 /* @TODO - do this in a more efficient way  | ||||
|                  if (lesson.isAuthorized(ws, role, WebSession.SHOWHINTS)) { | ||||
|                  lessonItem.setShowHints(true); | ||||
|                  } | ||||
|  | ||||
|                  if (lesson.isAuthorized(ws, role, WebSession.SHOWSOURCE)) { | ||||
|                  lessonItem.setShowSource(true); | ||||
|                  } | ||||
|                  */ | ||||
|                 // special handling for challenge role | ||||
|                 if (Category.CHALLENGE.equals(lesson.getCategory())) { | ||||
|                     lessonItem.setShowHints(lesson.isAuthorized(ws, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); | ||||
|                     lessonItem.setShowSource(lesson.isAuthorized(ws, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); | ||||
|                 } | ||||
|  | ||||
|                 categoryItem.addChild(lessonItem); | ||||
|                 // Does the lesson have stages | ||||
|                 if (lesson instanceof RandomLessonAdapter) { | ||||
|  | ||||
| @ -75,12 +75,12 @@ public class WebSession { | ||||
|     /** | ||||
|      * Tomcat role for a webgoat user | ||||
|      */ | ||||
|     public final static String WEBGOAT_USER = "webgoat_user"; | ||||
|     public final static String WEBGOAT_USER = "ROLE_WEBGOAT_USER"; | ||||
|  | ||||
|     /** | ||||
|      * Tomcat role for a webgoat admin | ||||
|      */ | ||||
|     public final static String WEBGOAT_ADMIN = "webgoat_admin"; | ||||
|     public final static String WEBGOAT_ADMIN = "ROLE_WEBGOAT_ADMIN"; | ||||
|  | ||||
|     /** | ||||
|      * Description of the Field | ||||
|  | ||||
| @ -107,7 +107,7 @@ public class WebgoatContext { | ||||
|         showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); | ||||
|         isDebug = "true".equals(getParameter(servlet, DEBUG)); | ||||
|         servletName = servlet.getServletName(); | ||||
|         defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("English"); | ||||
|         defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("en"); | ||||
|  | ||||
|         webgoati18n = new WebGoatI18N(this); | ||||
|  | ||||
|  | ||||
| @ -113,11 +113,11 @@ | ||||
|                     <ul class="nano-content"> | ||||
|                         <li class="sub-menu" ng-repeat="item in menuTopics"> | ||||
|                             <a ng-click="accordionMenu(item.id)" href=""><i class="fa {{item.class}}"></i><span>{{item.name}}</span></a><!-- expanded = !expanded--> | ||||
|                             <ul class="slideDown lessonsAndStages" id="{{item.id}}" isOpen=0> | ||||
|                                 <li ng-repeat="lesson in item.children"> | ||||
|                                     <a ng-click="renderLesson(lesson.id,lesson.link)" id="{{lesson.id}}" title="link to {{lesson.name}}" href="">{{lesson.name}}</a><span class="{{lesson.completeClass}}"></span> | ||||
|                                     <span ng-repeat="stage in lesson.children" > | ||||
|                                         <a ng-click="renderLesson(lesson.id,stage.link)" id="{{stage.id}}"  title="link to {{stage.name}}" href="">{{stage.name}}</a><span class="{{stage.completeClass}}"></span> | ||||
|                             <ul class="slideDown lessonsAndStages {{item.displayClass}}" id="{{item.id}}" isOpen=0> | ||||
|                                 <li ng-repeat="lesson in item.children" class="{{lesson.selectedClass}}"> | ||||
|                                     <a ng-click="renderLesson(lesson.id,lesson.link,{showSource:lesson.showSource,showHints:lesson.showHints})" id="{{lesson.id}}" class="{{lesson.selectedClass}}" title="link to {{lesson.name}}" href="">{{lesson.name}}</a><span class="{{lesson.completeClass}}"></span> | ||||
|                                     <span ng-repeat="stage in lesson.children"> | ||||
|                                         <a ng-click="renderLesson(stage.id,stage.link,{showSource:stage.showSource,showHints:stage.showHints})" class="selectedClass" id="{{stage.id}}"  title="link to {{stage.name}}" href="">{{stage.name}}</a><span class="{{stage.completeClass}}"></span> | ||||
|                                     </span> | ||||
|                                 </li> | ||||
|                             </ul> | ||||
| @ -135,10 +135,11 @@ | ||||
|                             <div class="col-md-12" align="left"> | ||||
|                                 <div class="panel"> | ||||
|                                     <div class="panel-body"> | ||||
|                                         <button type="button" id="showSourceBtn" class="btn btn-primary btn-xs" ng-click="showLessonSource()">Java [Source]</button> | ||||
|                                         <button type="button" id="showSourceBtn" ng-show="showSource" class="btn btn-primary btn-xs" ng-click="showLessonSource()">Java [Source]</button> | ||||
|                                         <button type="button" id="showSolutionBtn" class="btn btn-primary btn-xs" ng-click="showLessonSolution()">Solution</button> | ||||
|                                         <button type="button" id="showPlanBtn" class="btn btn-primary btn-xs" ng-click="showLessonPlan()">Lesson Plan</button> | ||||
|                                         <button type="button" id="showHintsBtn" class="btn btn-primary btn-xs"  ng-click="viewHints()">Hints</button> | ||||
|                                         <button type="button" id="showHintsBtn" ng-show="showHints" class="btn btn-primary btn-xs"  ng-click="viewHints()">Hints</button> | ||||
|                                         <button type="button" id="restartLessonBtn"  class="btn btn-xs"  ng-click="restartLesson()">Restart Lesson</button> | ||||
|                                     </div> | ||||
|                                 </div> | ||||
|                                 <div class="lessonHelp" id="lesson_hint_row"> | ||||
| @ -148,8 +149,8 @@ | ||||
|                                             <span class="glyphicon-class glyphicon glyphicon-circle-arrow-left" id="showPrevHintBtn" ng-click="viewPrevHint()"></span> | ||||
|                                             <span class="glyphicon-class glyphicon glyphicon-circle-arrow-right" id="showNextHintBtn" ng-click="viewNextHint()"></span> | ||||
|                                             <br/> | ||||
|                                              | ||||
|                                             <span id="curHintContainer"></span><!--{{curHint}}--> | ||||
|                                             <span ng-show="showHints" bind-html-unsafe="curHint"></span> | ||||
|                                             <!--<span id="curHintContainer"></span>--> | ||||
|                                         </div>                                     | ||||
|                                     </div> | ||||
|                                 </div> | ||||
| @ -175,9 +176,10 @@ | ||||
|                                         <div id="cookiesAndParamsView"> | ||||
|                                             <div class="cookiesView"> | ||||
|                                                 <h4>Cookies</h4> | ||||
|                                                 <table class="cookieTable table-striped table-nonfluid" ng-repeat="cookie in cookies"> | ||||
|                                                 <div class="cookieContainer" ng-repeat="cookie in cookies"> | ||||
|                                                 <table class="cookieTable table-striped table-nonfluid" > | ||||
|                                                     <thead> | ||||
|                                                         <tr><th>Field</th><th>Value</th></tr> | ||||
|                                                         <tr><th class="col-sm-1"></th><th class="col-sm-1"></th></tr> <!-- Field / Value --> | ||||
|                                                     </thead> | ||||
|                                                     <tbody> | ||||
|                                                         <tr ng-repeat="(key, value) in cookie"> | ||||
| @ -188,6 +190,7 @@ | ||||
|                                                     <!--<li ng-repeat="(key, value) in cookie">{{key}} :: {{ value}} </td>--> | ||||
|                                                     <!--</ul>--> | ||||
|                                                 </table> | ||||
|                                                 </div> | ||||
|                                             </div> | ||||
|                                             <div id="paramsView"> <!--class="paramsView"--> | ||||
|                                                 <h4>Params</h4> | ||||
| @ -293,9 +296,7 @@ | ||||
|  | ||||
|             $(document).ready(function() { | ||||
|                 //TODO merge appliction.js code into other js files | ||||
|                 app.init(); | ||||
|                  | ||||
|                  | ||||
|                 app.init();                | ||||
|             }); | ||||
|             // make all forms ajax forms | ||||
|             var options = { | ||||
| @ -353,6 +354,9 @@ | ||||
|                 // make any embedded forms ajaxy | ||||
|                 goat.utils.showLessonCookiesAndParams(); | ||||
|                 goat.utils.makeFormsAjax(); | ||||
|                 goat.utils.ajaxifyAttackHref(); //TODO find some way to hook scope for current menu. Likely needs larger refactor which is already started/stashed | ||||
|                 //refresh menu | ||||
|                 angular.element($('#leftside-navigation')).scope().renderMenu(); | ||||
|             } | ||||
|  | ||||
|         </script> | ||||
|  | ||||
| @ -162,6 +162,10 @@ | ||||
|              --> | ||||
|             <param-value>jdbc:hsqldb:mem:${USER}</param-value> | ||||
|         </init-param> | ||||
|         <init-param> | ||||
|             <param-name>DefaultLanguage</param-name> | ||||
|             <param-value>en</param-value> | ||||
|         </init-param> | ||||
|         <!-- Load this servlet at server startup time --> | ||||
|         <load-on-startup>5</load-on-startup> | ||||
|     </servlet> | ||||
|  | ||||
| @ -1,3 +1,7 @@ | ||||
| #lesson.BufferOverflow.hidden=true | ||||
| # | ||||
| # These lesson need to be refactored | ||||
| lesson.BlindScript.hidden=true | ||||
| lesson.RemoteAdminFlaw.hidden=true | ||||
| lesson.HttpSplitting.hidden=true | ||||
| lesson.BasicAuthentication.hidden=true | ||||
| @ -141,99 +141,18 @@ img { | ||||
|   margin-top:25px; | ||||
|   margin-right:20px; | ||||
| } | ||||
| /* Sidebar */ | ||||
| .sidebar { | ||||
|   width: 240px; | ||||
|   /*height: 100%;*/ | ||||
|   background: #222; | ||||
|   position: absolute; | ||||
|   -webkit-transition: all 0.3s ease-in-out; | ||||
|   -moz-transition: all 0.3s ease-in-out; | ||||
|   -o-transition: all 0.3s ease-in-out; | ||||
|   -ms-transition: all 0.3s ease-in-out; | ||||
|   transition: all 0.3s ease-in-out; | ||||
|   z-index: 100; | ||||
| } | ||||
|  | ||||
| #leftside-navigation { | ||||
|   overflow-y:scroll; | ||||
|   overflow-x:hidden; | ||||
| } | ||||
|  | ||||
| #sidebar { | ||||
|   /*background-color:#333;*/ | ||||
|   background-color:blue; | ||||
| } | ||||
|  | ||||
|    | ||||
| .sidebar-toggle { | ||||
|   margin-left: -240px; | ||||
| } | ||||
| #leftside-navigation ul, | ||||
| #leftside-navigation ul ul { | ||||
|   margin: -2px 0 0; | ||||
|   padding: 0; | ||||
| } | ||||
| #leftside-navigation ul li { | ||||
|   list-style-type: none; | ||||
|   border-bottom: 1px solid rgba(255, 255, 255, 0.05); | ||||
| } | ||||
| #leftside-navigation ul li a { | ||||
|   color: #aeb2b7; | ||||
|   text-decoration: none; | ||||
|   display: block; | ||||
|   padding: 18px 0 18px 25px; | ||||
|   font-size: 12px; | ||||
|   outline: none; | ||||
|   -webkit-transition: all 200ms ease-in; | ||||
|   -moz-transition: all 200ms ease-in; | ||||
|   -o-transition: all 200ms ease-in; | ||||
|   -ms-transition: all 200ms ease-in; | ||||
|   transition: all 200ms ease-in; | ||||
| } | ||||
| #leftside-navigation ul li a span { | ||||
|   display: inline-block; | ||||
| } | ||||
| #leftside-navigation ul ul li { | ||||
|   background: #333; | ||||
|   margin-bottom: 0; | ||||
|   margin-left: 0; | ||||
|   margin-right: 0; | ||||
|   border-bottom: none; | ||||
| } | ||||
| #leftside-navigation ul ul li a { | ||||
|   font-size: 12px; | ||||
|   padding-top: 13px; | ||||
|   padding-bottom: 13px; | ||||
|   color: #aeb2b7; | ||||
| } | ||||
| #leftside-navigation ul li a i { | ||||
|   width: 20px; | ||||
| } | ||||
| #leftside-navigation ul li a i.fa-angle-right, | ||||
| #leftside-navigation ul li a i.fa-angle-left { | ||||
|   padding-top: 3px; | ||||
| } | ||||
| #leftside-navigation ul ul { | ||||
|   display: none; | ||||
| } | ||||
| #leftside-navigation li.active ul { | ||||
|   display: block; | ||||
| } | ||||
| #leftside-navigation ul li a:hover, | ||||
| #leftside-navigation ul li.active > a { | ||||
|   color: #e84c3d; | ||||
| } | ||||
| .btn-primary + .dropdown-menu > li > a:hover, | ||||
| .btn-primary + .dropdown-menu > li > a:active { | ||||
|   background-color: #16a086; | ||||
| } | ||||
|  | ||||
| .sidebar > div > ul > li > ul > li > span.lessonComplete { | ||||
|     float: right; | ||||
|     margin-left: 1.5em; | ||||
|     /*float: right; | ||||
|     margin-left: 1.5em;*/ | ||||
|     margin-right: 5px; | ||||
|     margin-top: -25px; | ||||
|     margin-top: -38px; /* << don't like doing this, but otherwise it does not line up correctly */ | ||||
|     color:#0F0 | ||||
| } | ||||
|  | ||||
| /* ========================================================================== | ||||
| @ -797,14 +716,110 @@ fieldset[disabled] .btn-warning.active { | ||||
|  | ||||
| .table-nonfluid { | ||||
|   width:auto; | ||||
|  margin-bottom:15px;  | ||||
| } | ||||
|  | ||||
| cookieContainer { | ||||
| 	margin-bottom:4px; | ||||
| } | ||||
|  | ||||
| .cookieTable tr td, .paramsTable tr td { | ||||
|   padding: 3px; | ||||
|   max-width: 200px; | ||||
|   font-size: x-small; | ||||
|   word-wrap: break-word; | ||||
| } | ||||
| /* MENU */ | ||||
|  | ||||
| /* ========================================================================== | ||||
|    MENU / Sidebar | ||||
|    ========================================================================== */ | ||||
| /* Sidebar */ | ||||
| .sidebar { | ||||
|   width: 240px; | ||||
|   /*height: 100%;*/ | ||||
|   background: #222; | ||||
|   position: absolute; | ||||
|   -webkit-transition: all 0.3s ease-in-out; | ||||
|   -moz-transition: all 0.3s ease-in-out; | ||||
|   -o-transition: all 0.3s ease-in-out; | ||||
|   -ms-transition: all 0.3s ease-in-out; | ||||
|   transition: all 0.3s ease-in-out; | ||||
|   z-index: 100; | ||||
| } | ||||
|  | ||||
| #leftside-navigation { | ||||
|   overflow-y:scroll; | ||||
|   overflow-x:hidden; | ||||
| } | ||||
|  | ||||
| #sidebar { | ||||
|   /*background-color:#333;*/ | ||||
|   background-color:blue; | ||||
| } | ||||
|  | ||||
|    | ||||
| .sidebar-toggle { | ||||
|   margin-left: -240px; | ||||
| } | ||||
| #leftside-navigation ul, | ||||
| #leftside-navigation ul ul { | ||||
|   margin: -2px 0 0; | ||||
|   padding: 0; | ||||
| } | ||||
| #leftside-navigation ul li { | ||||
|   list-style-type: none; | ||||
|   border-bottom: 1px solid rgba(255, 255, 255, 0.05); | ||||
| } | ||||
|  | ||||
|  | ||||
| #leftside-navigation ul li a { | ||||
|   color: #aeb2b7; | ||||
|   text-decoration: none; | ||||
|   display: block; | ||||
|   padding: 5px 0 5px 15px; | ||||
|   font-size: 12px; | ||||
|   outline: none; | ||||
|   -webkit-transition: all 200ms ease-in; | ||||
|   -moz-transition: all 200ms ease-in; | ||||
|   -o-transition: all 200ms ease-in; | ||||
|   -ms-transition: all 200ms ease-in; | ||||
|   transition: all 200ms ease-in; | ||||
| } | ||||
| #leftside-navigation ul li a span { | ||||
|   display: inline-block; | ||||
| } | ||||
| #leftside-navigation ul ul li { | ||||
|   background: #333; | ||||
|   margin-bottom: 0; | ||||
|   margin-left: 0; | ||||
|   margin-right: 0; | ||||
|   border-bottom: none; | ||||
| } | ||||
| #leftside-navigation ul ul li a { | ||||
|   font-size: 11px; | ||||
|   padding-top: 5px; | ||||
|   padding-bottom: 5px; | ||||
|   color: #aeb2b7; | ||||
|   margin-left:8px; | ||||
| } | ||||
| #leftside-navigation ul li a i { | ||||
|   width: 20px; | ||||
| } | ||||
| #leftside-navigation ul li a i.fa-angle-right, | ||||
| #leftside-navigation ul li a i.fa-angle-left { | ||||
|   padding-top: 3px; | ||||
| } | ||||
| #leftside-navigation ul ul { | ||||
|   display: none; | ||||
| } | ||||
| #leftside-navigation li.active ul { | ||||
|   display: block; | ||||
| } | ||||
| #leftside-navigation ul li a:hover, | ||||
| #leftside-navigation ul li.active > a { | ||||
|   color: #e84c3d; | ||||
| } | ||||
|  | ||||
| .sidebar ul span.lessonComplete { | ||||
|     float: right; | ||||
|     margin-left: -5px; | ||||
| @ -820,6 +835,9 @@ fieldset[disabled] .btn-warning.active { | ||||
|   color:white; | ||||
| } | ||||
|  | ||||
| #leftside-navigation ul ul.lessonsAndStages.keepOpen { | ||||
|   display: block | ||||
| } | ||||
|  | ||||
| /* HINTS */ | ||||
| #hintsViewTop{ | ||||
|  | ||||
| @ -4,6 +4,7 @@ var goatConstants = { | ||||
| 	CATEGORYCLASS:'fa-angle-right pull-right', | ||||
| 	lessonCompleteClass:'glyphicon glyphicon-check lessonComplete', | ||||
| 	selectedMenuClass:'selected', | ||||
| 	keepOpenClass:'keepOpen', | ||||
| 	menuPrefix : [ | ||||
| 		{ | ||||
| 		name:'LESSONS', | ||||
| @ -22,9 +23,12 @@ var goatConstants = { | ||||
| 	lessonPlanService:'service/lessonplan.mvc', | ||||
| 	menuService: 'service/lessonmenu.mvc', | ||||
| 	lessonTitleService: 'service/lessontitle.mvc', | ||||
| 	// literals | ||||
| 	restartLessonService: 'service/restartlesson.mvc', | ||||
| 	 | ||||
| 	// literal messages | ||||
| 	notFound: 'Could not find', | ||||
| 	noHints: 'There are no hints defined.' | ||||
| 	noHints: 'There are no hints defined.', | ||||
| 	noSourcePulled: 'No source was retrieved for this lesson' | ||||
| 	 | ||||
| }; | ||||
|  | ||||
|  | ||||
| @ -13,10 +13,17 @@ var goatMenu = function($scope, $http, $modal, $log, $templateCache) { | ||||
| 		var menuItems = goat.utils.addMenuClasses(goatConstants.menuPrefix.concat(menuData.data)); | ||||
| 		//top-tier 'categories' | ||||
| 		for (var i=0;i<menuItems.length;i++) { | ||||
| 		    menuItems[i].id = menuItems[i].name.replace(/\s|\(|\)/g,''); | ||||
| 		    menuItems[i].id = goat.utils.makeId(menuItems[i].name);//TODO move the replace routine into util function | ||||
| 		    menuItems[i].displayClass= ($scope.openMenu === menuItems[i].id) ? goatConstants.keepOpenClass : ''; | ||||
| 		    if (menuItems[i].children) { | ||||
| 			for (var j=0;j<menuItems[i].children.length;j++){ | ||||
| 			    menuItems[i].children[j].id = menuItems[i].children[j].name.replace(/\s|\(|\)/g,''); | ||||
| 			    menuItems[i].children[j].id = goat.utils.makeId(menuItems[i].children[j].name); | ||||
| 			    //handle selected Menu state | ||||
| 			    if (menuItems[i].children[j].id === $scope.curMenuItemSelected) { | ||||
| 				menuItems[i].children[j].selectedClass = goatConstants.selectedMenuClass; | ||||
| 				menuItems[i].selectedClass = goatConstants.selectedMenuClass; | ||||
| 			    } | ||||
| 			    //handle complete state | ||||
| 			    if (menuItems[i].children[j].complete) { | ||||
| 				menuItems[i].children[j].completeClass = goatConstants.lessonCompleteClass; | ||||
| 			    } else { | ||||
| @ -25,7 +32,14 @@ var goatMenu = function($scope, $http, $modal, $log, $templateCache) { | ||||
| 			    if (menuItems[i].children[j].children) { | ||||
| 				for (var k=0;k < menuItems[i].children[j].children.length;k++) { | ||||
| 				    //TODO make utility function for name >> id | ||||
| 				    menuItems[i].children[j].children[k].id = menuItems[i].children[j].children[k].name.replace(/\s|\(|\)/g,''); | ||||
| 				    menuItems[i].children[j].children[k].id = goat.utils.makeId(menuItems[i].children[j].children[k].name); | ||||
| 				    //menuItems[i].children[j].children[k].id = menuItems[i].children[j].children[k].name.replace(/\s|\(|\)/g,''); | ||||
| 				    //handle selected Menu state | ||||
| 				    if (menuItems[i].children[j].children[k].id === $scope.curMenuItemSelected) { | ||||
| 					menuItems[i].children[j].children[k].selectedClass = goatConstants.selectedMenuClass; | ||||
| 					menuItems[i].children[j].selectedClass = goatConstants.selectedMenuClass; | ||||
| 				    } | ||||
| 				    //handle complete state | ||||
| 				    if (menuItems[i].children[j].children[k].complete) { | ||||
| 					menuItems[i].children[j].children[k].completeClass= goatConstants.lessonCompleteClass; | ||||
| 				    } else { | ||||
| @ -37,6 +51,11 @@ var goatMenu = function($scope, $http, $modal, $log, $templateCache) { | ||||
| 		    } | ||||
| 		} | ||||
| 		$scope.menuTopics = menuItems; | ||||
| 		// | ||||
| 		if ($scope.openMenu) { | ||||
| 		    $('ul'+$scope.openMenu).show(); | ||||
| 		} | ||||
| 		 | ||||
| 	    }, | ||||
| 	    function(error) { | ||||
| 		// TODO - handle this some way other than an alert | ||||
| @ -45,18 +64,13 @@ var goatMenu = function($scope, $http, $modal, $log, $templateCache) { | ||||
| 	); | ||||
|     }; | ||||
|  | ||||
|     $scope.renderLesson = function(id,url) { | ||||
|         //console.log(url + ' was passed in'); | ||||
|         // use jquery to render lesson content to div | ||||
|     $scope.renderLesson = function(id,url,showControls) {//TODO convert to single object parameter | ||||
|         $scope.hintIndex = 0; | ||||
|         var curScope = $scope; | ||||
| 	$('.lessonHelp').hide(); | ||||
| 	// clean up menus, mark selected | ||||
| 	$('ul li.selected').removeClass(goatConstants.selectedMenuClass) | ||||
| 	$('ul li.selected a.selected').removeClass(goatConstants.selectedMenuClass) | ||||
| 	$('#'+id).addClass(goatConstants.selectedMenuClass); | ||||
| 	$('#'+id).parent().addClass(goatConstants.selectedMenuClass); | ||||
| 	// | ||||
| 	$scope.curMenuItemSelected = id; | ||||
| 	goat.utils.highlightCurrentLessonMenu(id); | ||||
|         curScope.parameters = goat.utils.scrapeParams(url); | ||||
| 	// lesson content | ||||
|         goat.data.loadLessonContent($http,url).then( | ||||
| @ -66,13 +80,18 @@ var goatMenu = function($scope, $http, $modal, $log, $templateCache) { | ||||
| 			    $("#lessonTitle").text(reply.data); | ||||
| 		    } | ||||
| 		); | ||||
| 		//TODO encode html or get angular js portion working | ||||
| 		$("#lesson_content").html(reply.data); | ||||
| 		//hook forms | ||||
| 		goat.utils.makeFormsAjax(); | ||||
| 		$('#leftside-navigation').height($('#main-content').height()+15) | ||||
| 		$scope.$emit('lessonUpdate',{params:curScope.parameters}); | ||||
| 		goat.utils.makeFormsAjax();// inject form? | ||||
| 		goat.utils.ajaxifyAttackHref(); | ||||
| 		$('#leftside-navigation').height($('#main-content').height()+15)//TODO: get ride of fixed value (15)here | ||||
| 		//notifies goatLesson Controller of the less change | ||||
| 		$scope.$emit('lessonUpdate',{params:curScope.parameters,'showControls':showControls}); | ||||
| 	    } | ||||
|     )}; | ||||
| 	) | ||||
| 	$scope.renderMenu();	 | ||||
|     }; | ||||
|     $scope.accordionMenu = function(id) { | ||||
| 	if ($('ul#'+id).attr('isOpen') == 0) { | ||||
| 	    $scope.expandMe = true;     | ||||
| @ -80,6 +99,7 @@ var goatMenu = function($scope, $http, $modal, $log, $templateCache) { | ||||
| 	    $('ul#'+id).slideUp(300).attr('isOpen',0); | ||||
| 	    return; | ||||
| 	} | ||||
| 	$scope.openMenu = id; | ||||
| 	$('.lessonsAndStages').not('ul#'+id).slideUp(300).attr('isOpen',0); | ||||
| 	if ($scope.expandMe) { | ||||
| 	    $('ul#'+id).slideDown(300).attr('isOpen',1); | ||||
| @ -101,6 +121,8 @@ var goatLesson = function($scope,$http,$log) { | ||||
| 	 | ||||
| 	$scope.$on('lessonUpdate',function(params){ | ||||
| 	    $scope.parameters = arguments[1].params; | ||||
| 	    $scope.showHints = (arguments[1].showControls && arguments[1].showControls.showHints); | ||||
| 	    $scope.showSource = (arguments[1].showControls && arguments[1].showControls.showSource); | ||||
| 	    curScope = $scope; //TODO .. update below, this curScope is probably not needed | ||||
| 	    goat.data.loadCookies($http).then( | ||||
| 		function(resp) { | ||||
| @ -109,22 +131,32 @@ var goatLesson = function($scope,$http,$log) { | ||||
| 	    ); | ||||
| 	    //hints | ||||
| 	    curScope.hintIndex = 0; | ||||
| 	    goat.data.loadHints($http).then( | ||||
| 		function(resp) { | ||||
| 		    curScope.hints = resp.data; | ||||
| 		    if (curScope.hints.length > 0 && curScope.hints[0].hint.indexOf(goatConstants.noHints) === -1) { | ||||
| 			goat.utils.displayButton('showHintsBtn', true); | ||||
| 		    } else { | ||||
| 			goat.utils.displayButton('showHintsBtn', false); | ||||
| 	    if ($scope.showHints) { | ||||
| 		goat.data.loadHints($http).then( | ||||
| 		    function(resp) { | ||||
| 			curScope.hints = resp.data; | ||||
| 			if (curScope.hints.length > 0 && curScope.hints[0].hint.indexOf(goatConstants.noHints) === -1) { | ||||
| 			    goat.utils.displayButton('showHintsBtn', true); | ||||
| 			} else { | ||||
| 			    goat.utils.displayButton('showHintsBtn', false); | ||||
| 			} | ||||
| 		    } | ||||
| 		} | ||||
| 	    ); | ||||
| 		); | ||||
| 	    } else { | ||||
| 		$scope.hints = null; | ||||
| 		goat.utils.displayButton('showHintsBtn', false); | ||||
| 	    } | ||||
| 	    //source | ||||
| 	    goat.data.loadSource($http).then( | ||||
| 	    if ($scope.showSource) { | ||||
| 		goat.data.loadSource($http).then( | ||||
| 		    function(resp) { | ||||
| 			curScope.source = resp.data; | ||||
| 		    } | ||||
| 	    ); | ||||
| 		); | ||||
| 	    } else { | ||||
| 		$scope.source = goatConstants.noSourcePulled; | ||||
| 	    } | ||||
| 	     | ||||
| 	    //plan | ||||
| 	    goat.data.loadPlan($http).then( | ||||
| 		    function(resp) { | ||||
| @ -188,7 +220,7 @@ var goatLesson = function($scope,$http,$log) { | ||||
|         $scope.curHint = $scope.hints[$scope.hintIndex].hint; | ||||
| 	//$scope.curHint = $sce.trustAsHtml($scope.hints[$scope.hintIndex].hint); | ||||
| 	//TODO get html binding workin in the UI ... in the meantime ... | ||||
| 	$scope.renderCurHint(); | ||||
| 	//$scope.renderCurHint(); | ||||
|         $scope.manageHintButtons(); | ||||
|     }; | ||||
|  | ||||
| @ -213,6 +245,14 @@ var goatLesson = function($scope,$http,$log) { | ||||
|     $scope.hideHints = function() { | ||||
|  | ||||
|     }; | ||||
|      | ||||
|     $scope.restartLesson = function () { | ||||
| 	goat.data.loadRestart($http).then( | ||||
| 	    function(resp) { | ||||
| 		angular.element($('#leftside-navigation')).scope().renderLesson(null,resp.data,{showSource:$scope.showSource,showHints:$scope.showHints}); | ||||
| 	    } | ||||
| 	) | ||||
|     } | ||||
|  | ||||
|     $scope.showAbout = function() { | ||||
|         $('#aboutModal').modal({ | ||||
|  | ||||
| @ -36,5 +36,9 @@ goat.data = { | ||||
|     }, | ||||
|     loadLessonTitle: function ($http) { | ||||
|         return $http({method: 'GET', url: goatConstants.lessonTitleService}); | ||||
|     }, | ||||
|     loadRestart: function ($http) { | ||||
|         return $http({method: 'GET', url:goatConstants.restartLessonService}) | ||||
|     } | ||||
|      | ||||
| }; | ||||
|  | ||||
| @ -80,6 +80,32 @@ goat.utils = { | ||||
|             paramsArr.push(paramObj); | ||||
|         } | ||||
|         return paramsArr; | ||||
|     }, | ||||
|     highlightCurrentLessonMenu: function(id) { | ||||
|         //TODO: move selectors in first two lines into goatConstants | ||||
|         $('ul li.selected').removeClass(goatConstants.selectedMenuClass) | ||||
| 	$('ul li.selected a.selected').removeClass(goatConstants.selectedMenuClass) | ||||
| 	$('#'+id).addClass(goatConstants.selectedMenuClass); | ||||
| 	$('#'+id).parent().addClass(goatConstants.selectedMenuClass); | ||||
|     }, | ||||
|     makeId: function (lessonName) { | ||||
|         return lessonName.replace(/\s|\(|\)|\!|\:|\;|\@|\#|\$|\%|\^|\&|\*/g,'');//TODO move the replace routine into util function | ||||
|     }, | ||||
|     ajaxifyAttackHref: function () { | ||||
|         $.each($('a[href^="attack?"]'), | ||||
|             function(i,el) { | ||||
|                 var url = $(el).attr('href'); | ||||
|                 $(el).attr('href','#'); | ||||
|                 $(el).attr('link',url); | ||||
|                 //TODO pull currentMenuId | ||||
|                 $(el).click( | ||||
|                     function() { | ||||
|                         var _url = $(el).attr('link'); | ||||
|                         $.get(_url, {success:showResponse}); | ||||
|                     } | ||||
|                 ) | ||||
|             } | ||||
|         ); | ||||
|     } | ||||
| }; | ||||
|  | ||||
|  | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Using an Access Control Matrix</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| In a role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control scheme normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow allow privilege escalation to an unauthorized role.   | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Each user is a member of a role that is allowed to access only certain resources. Your goal is to explore the access control rules that govern this site. Only the [Admin] group should have access to the 'Account Manager' resource. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,23 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Create Database Back Door Attacks.</p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| How to Create Database Back Door Attacks. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| Databases are used usually as a backend for web applications. Also it is used as a media of storage. It can also | ||||
| be used as a place to store a malicious activity such as a trigger. A trigger is called by the database management | ||||
| system upon the execution of another database operation like insert, select, update or delete. An attacker for example | ||||
| can create a trigger that would set his email address instead of every new user's email address. | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| * Your goal should be to learn how you can exploit a vulnerable query to create a trigger.<br> | ||||
| * You will not be able to actually create one in this lesson because the underlying database engine used with WebGoat doesn't support triggers.<br> | ||||
| * Your login ID is 101.  | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> Basic Authentication </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| <!-- Start Instructions --> | ||||
| Basic Authentication is used to protect server side resources.  The web server will send a 401 authentication request with the response for the requested resource. The client side browser will then prompt the user for a user name and password using a browser supplied dialog box. The browser will base64 encode the user name and password and send those credentials back to the web server. The web server will then validate the credentials and return the requested resource if the credentials are correct. These credentials are automatically resent for each page protected with this mechanism without requiring the user to enter their credentials again.<br/> | ||||
| <p><b>General Goal(s):</b></p> | ||||
| For this lesson, your goal is to understand Basic Authentication and answer the questions below. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,15 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Blind SQL Injection </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.  | ||||
| <br> | ||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.<br> | ||||
| <br> | ||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The form below allows a user to enter an account number and determine if it is valid or not.  Use this form to develop a true / false test check other entries in the database.<br><br>Reference Ascii Values: 'A' = 65   'Z' = 90   'a' = 97   'z' = 122<br><br>The goal is to find the value of the first_name in table user_data for userid 15613.  Put that name in the form to pass the lesson. | ||||
| @ -1,26 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Cross Site Request Forgery. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  This lesson teaches how to perform Cross Site Request Forgery (CSRF) attacks. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page that contains img links like the one below:  | ||||
|  | ||||
| <pre><img src="<a href="http://www.mybank.com/transferFunds.do?acctId=123456" class='external free' title="http://www.mybank.com/transferFunds.do?acctId=123456" rel="nofollow">http://www.mybank.com/sendFunds.do?acctId=123456</a>"/></pre> | ||||
|  | ||||
| When the victim's browser attempts to render this page, it will issue a request to www.mybank.com to the transferFunds.do page with the specified parameters. The browser will think the link is to get an image, even though it actually is a funds transfer function.  | ||||
|  | ||||
| The request will include any cookies associated with the site. Therefore, if the user has authenticated to the site, and has either a permanent cookie or even a current session cookie, the site will have no way to distinguish this from a legitimate user request.  | ||||
|  | ||||
| In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, or any other function provided by the vulnerable website | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/><b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,7 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Putting it all together </p> | ||||
| </div><br/> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| This lesson creates a challenge that will help the student apply all that they have learned.<br/> | ||||
| <b>General Goal(s):</b><br/> | ||||
| Display the secret message. | ||||
| @ -1,12 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title: </b>Client Side Filtering</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to send to the client only information which they are supposed | ||||
| to have access to.  In this lesson, too much information is being sent to the client, creating | ||||
| a serious access control problem. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, your mission is exploit the extraneous information being returned by the | ||||
| server to discover information to which you should not have access. | ||||
| @ -1,15 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title: </b>Insecure Client Storage</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to validate all input on the server side.  Leaving the | ||||
| mechanism for validation on the client side leaves it vulnerable to reverse | ||||
| engineering.  Remember, anything on the client side should not be | ||||
| considered a secret. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, your mission is to discover a coupon code to receive an unintended | ||||
| discount.  Then, exploit the use of client side validation to submit an order with a | ||||
| cost of zero. | ||||
|  | ||||
| @ -1,12 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Command Injection</p> | ||||
|  </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| <!-- Start Instructions --> | ||||
| Command  injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.<br/> | ||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.<br/> | ||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br/> | ||||
| Try to inject a command to the operating system. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b></p> | ||||
| The user should be able to execute any command on the hosting OS.   | ||||
| @ -1,22 +0,0 @@ | ||||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> | ||||
| <html> | ||||
| <head> | ||||
|                 | ||||
|   <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> | ||||
|   <title>Lesson Plan</title> | ||||
| </head> | ||||
|   <body> | ||||
|   | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> Shopping Cart Concurrency Flaw </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  Web applications can handle many HTTP requests simultaneously.  Developers often use variables that are not thread safe.  Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time. Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently. <br> | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase merchandise for a lower price. | ||||
| <br> | ||||
| </body> | ||||
| </html> | ||||
| @ -1,12 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.<br> | ||||
| XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.  | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b></p> | ||||
| For this exercise, you will perform stored and reflected XSS attacks.  You will also implement code changes in the web application to defeat these attacks. | ||||
| <br> | ||||
|  | ||||
| @ -1,33 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b>CSRF User Prompt By-Pass</p><br/> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| This lesson teaches how to perform CSRF attacks that by-pass user confirmation prompts. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| <p> | ||||
| Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page  | ||||
| that contains a 'forged request' to execute commands with the victim's credentials.  Prompting  | ||||
| a user to confirm or cancel the command might sound like a solution, but can be by-passed if  | ||||
| the prompt is scriptable.  This lesson shows how to by-pass such a prompt by issuing another  | ||||
| forged request.  This can also apply to a series of prompts such as a wizard or issuing multiple  | ||||
| unrelated forged requests.</p>  | ||||
|  | ||||
|  | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple  | ||||
| malicious requests: the first to transfer funds, and the second a request to confirm the prompt  | ||||
| that the first request triggered.  The URL should point to the CSRF lesson with an extra  | ||||
| parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the  | ||||
| left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever  | ||||
| receives this email and happens to be authenticated at that time will have his funds transferred.  | ||||
| When you think the attack is successful, refresh the page and you will find the green check on  | ||||
| the left hand side menu.<br/> | ||||
| <b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,38 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b>CSRF Token Prompt By-Pass</p><br/> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| This lesson teaches how to perform CSRF attacks on sites that use tokens to mitigate CSRF attacks, but are vulnerable to CSS attacks. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| <p> | ||||
| Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into  | ||||
| loading a page that contains a 'forged request' to execute commands with the  | ||||
| victim's credentials.  </p> | ||||
|  | ||||
| <p>Token-based request authentication mitigates these attacks.  This technique  | ||||
| inserts tokens into pages that issue requests.  These tokens are required to  | ||||
| complete a request, and help verify that requests are not scripted.  CSRFGuard from OWASP uses  | ||||
| this technique to help prevent CSRF attacks.</p> | ||||
|  | ||||
| <p>However, this technique can be by-passed if CSS vulnerabilities exist on the same site.   | ||||
| Because of the same-origin browser policy, pages from the same domain can read content from  | ||||
| other pages from the same domain.  </p> | ||||
|  | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains a malicious  | ||||
| request to transfer funds.  To successfully complete you need to obtain a valid request token.   | ||||
| The page that presents the transfer funds form contains a valid request token.  The URL for the  | ||||
| transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load  | ||||
| this page, read the token and append the token in a forged request to transferFunds. When you think | ||||
| the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/> | ||||
| <b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
|  | ||||
| @ -1,24 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting | ||||
| (XSS)</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to scrub all inputs, especially those | ||||
| inputs that will later be used as parameters to OS commands, scripts, | ||||
| and database queries. It is particularly important for content that will | ||||
| be permanently stored somewhere. Users should not be able to create | ||||
| message content that could cause another user to load an undesirable | ||||
| page or undesirable content when the user's message is retrieved. | ||||
| <br> | ||||
| XSS can also occur when unvalidated user input is used in an HTTP | ||||
| response. In a reflected XSS attack, an attacker can craft a URL with | ||||
| the attack script and post it to another website, email it, or otherwise | ||||
| get a victim to click on it. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b></p> | ||||
| For this exercise, you will perform a stored XSS attack. | ||||
| You will also implement code changes in the database to defeat | ||||
| these attacks. | ||||
| <br> | ||||
|  | ||||
| @ -1,16 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform SQL Injection</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to scrub all inputs, especially those | ||||
| inputs that will later be used as parameters to OS commands, scripts, | ||||
| and database queries. Users should not be able to alter the intent of | ||||
| commands that are executed on the server, in many cases as a privileged user. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b></p> | ||||
| For this exercise, you will perform a SQL Injection attack. | ||||
| You will also implement code changes in the database to defeat | ||||
| these attacks. | ||||
| <br> | ||||
|  | ||||
| @ -1,23 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform DOM Injection Attack. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| How to perform DOM injection attacks. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| Some applications specially the ones that uses AJAX manipulates and updates the DOM | ||||
| directly using javascript, DHTML and eval() method.<br> | ||||
| An attacker may take advantage of that by intercepting the reply and try to inject some  | ||||
| javascript commands to exploit his attacks. | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| * Your victim is a system that takes an activation key to allow you to use it.<br> | ||||
| * Your goal should be to try to get to enable the activate button.<br> | ||||
| * Take some time to see the HTML source in order to understand how the key validation process works.<br> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,15 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title: </b>DOM Based Cross Site Scripting (XSS)</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| The Document Object Model (DOM) presents an interesting problem from | ||||
| a security standpoint.  It allows the content of a web page to be dynamically | ||||
| modified, but that can be abused by attackers during a malicious code injection.  XSS, | ||||
| a type of malicious code injection, can occur when unvalidated user input is used directly | ||||
| to modify the content of a page on the client side. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, your mission is to use this vulnerability to inject | ||||
| malicious code into the DOM.  Then in the last stage, you will correct | ||||
| the flaws in the code to address the vulnerability. | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Denial of Service from Multiple Logins</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Denial of service attacks are a major issue in web applications. If the end user cannot conduct business or perform the service offered by the web application, then both time and money is wasted. | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| This site allows a user to login multiple times. This site has a database connection pool that allows 2 connections. You must obtain a list of valid users and create a total of 3 logins. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,14 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title: </b>Dangerous Use of Eval</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to validate all input on the server side. XSS can occur | ||||
| when unvalidated user input is reflected directly into an HTTP response. In this lesson, unvalidated | ||||
| user-supplied data is used in conjunction with a Javascript eval() call. In a reflected | ||||
| XSS attack, an attacker can craft a URL with the attack script and store it on another | ||||
| website, email it, or otherwise trick a victim into clicking on it. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, your mission is to come up with some input which, when run through eval, | ||||
| will execute a malicious script. In order to pass this lesson, you must 'alert()' document.cookie. | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Peform Basic Encoding</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Different encoding schemes can be used in web applications for different reasons.  | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| This lesson will familiarize the user with different encoding schemes.  | ||||
| @ -1,10 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Bypass Fail Open Authentication </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  This lesson presents the basics for understanding the "fail open" condition regarding authentication.   The security term, “fail open” describes a behavior of a verification mechanism.   This is when an error (i.e. unexpected exception) occurs during a verification method causing that method to evaluate to true. This is especially dangerous during login.  <br> | ||||
|  <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
|  The user should be able to bypass the authentication check.   | ||||
| @ -1,21 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Forced Browsing Attacks. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| How to Exploit Forced Browsing. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible.  | ||||
|  | ||||
| One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| * Your goal should be to try to guess the URL for the "config" interface.<br> | ||||
| * The "config" URL is only available to the maintenance personnel.<br> | ||||
| * The application doesn't check for horizontal privileges. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Exploit the Forgot Password Page</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Web applications frequently provide their users the ability to retrieve a forgotten password. Unfortunately, many web applications fail to implement the mechanism properly. The information required to verify the identity of the user is often overly simplistic. | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Users can retrieve their password if they can answer the secret question properly. There is no lock-out mechanism on this 'Forgot Password' page. Your username is 'webgoat' and your favorite color is 'red'. The goal is to retrieve the password of another user. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,12 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Exploit Hidden Fields </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  | ||||
| Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field.  This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified  <br> | ||||
|  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to exploit a hidden field to obtain a product at an incorrect price. | ||||
| <!-- Start Instructions --> | ||||
| Try to purchase the HDTV for less than the purchase price, if you have not done so already. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,68 +0,0 @@ | ||||
| <!-- Start Instructions --> | ||||
| <h1>How To Work With WebGoat</h1> | ||||
| <p> | ||||
| Welcome to a brief overview of WebGoat.<br>  | ||||
| </p> | ||||
| <h2>Environment Information</h2> | ||||
| <p> | ||||
| WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on  | ||||
| localhost although this can be easily changed, see the "Tomcat Configuration" section in the Introduction. </p> | ||||
|  | ||||
| <h2>The WebGoat Interface</h2> | ||||
| <p> | ||||
| <img src="images/introduction/interface.png"><br><br> | ||||
| 1. Lesson Categories in WebGoat. Click on a Category to see specific Lessons.<br> | ||||
| 2. This will show the underlying Java source code.<br> | ||||
| 3. This will show the complete solution of the selected lesson.<br> | ||||
| 4. This will show goals and objectives of the lesson.<br> | ||||
| 5. This will show technical hints to solve the lesson.<br> | ||||
| 6. This shows the HTTP request data<br> | ||||
| 7. If you want to restart a lesson you can use this link.</p> | ||||
| <h2>Solve The Lesson</h2> | ||||
| <p> | ||||
| Always start with the lesson plan. Then try to solve the lesson and if necessary,  | ||||
| use the hints. The last hint is the solution text if applicable.  If you cannot solve the lesson using the hints, you may view the  | ||||
| solution for complete details.</p> | ||||
|  | ||||
| <h2>Read And Edit Parameters/Cookies</h2> | ||||
| <p> | ||||
| To read and edit parameters and cookies you need a local proxy like OWASP ZAP to intercept the HTTP request. | ||||
|  More information on ZAP can be found in the "Useful Tools" section in the Introduction. | ||||
| </p> | ||||
|  | ||||
| <h2>Configuring new WebGoat users</h2> | ||||
| <p> | ||||
| WebGoat uses spring-security.xml to configure users. | ||||
| <br/> | ||||
|   <pre> | ||||
| <!-- Authentication Manager --> | ||||
| <authentication-manager alias="authenticationManager"> | ||||
|   <authentication-provider> | ||||
|     <user-service> | ||||
|       <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /> | ||||
|       <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /> | ||||
|       <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /> | ||||
|     </user-service> | ||||
|   </authentication-provider> | ||||
| </authentication-manager>   | ||||
|   </pre> | ||||
| </p> | ||||
| <h2>Adding Users</h2> | ||||
| <p> | ||||
| Usually WebGoat only requires logging in with the user:guest and password:guest. | ||||
|  But maybe in laboratory you have made a setup with one server and a lot of | ||||
| clients. In this case you might want to have a user for every client, | ||||
|  you will have to alter /WEB-INF/spring-security.xml to add additional users. <b>We recommend not to use real passwords  | ||||
| as the passwords are stored in plain text in this file!</b> | ||||
| </p> | ||||
| <h3>Adding a new User</h3> | ||||
| <p> | ||||
| Adding a user is straight forward. You can use the guest entry as an example. The added | ||||
| users should have the same role as the guest user. The new user/password will not show on the login page.  | ||||
| Add lines like this to the /WEB-INF/spring-security.xml file: | ||||
| </p> | ||||
| <pre> | ||||
| <user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /> | ||||
| ... | ||||
| </pre> | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,12 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Discover Clues in the HTML </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  Developers are notorious for leaving statements like FIXME's, TODO's, Code Broken, Hack, etc... inside the source code.  Review the source code for any comments denoting  passwords, backdoors, or something doesn't work right.  | ||||
|  Below is an example of a forms based authentication form.  Look for clues to help you log in. | ||||
| <!-- Stop Instructions --> | ||||
| <br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to bypass the authentication check. | ||||
| @ -1,27 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> Http Basics </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  This lesson presents the basics for understanding the transfer of data between the browser and the web application.<br> | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How HTTP works:</b> | ||||
| </p> | ||||
| All HTTP transactions follow the same general format. Each client request and server response has three parts: the request or response line, a header section and the entity body. The client initiates a transaction as follows: <br> | ||||
| <br> | ||||
|  The client contacts the server and sends a document request <br> | ||||
| </div> | ||||
|   <br> | ||||
| <ul>GET /index.html?param=value HTTP/1.0</ul> | ||||
|  Next, the client sends optional header information to inform the server of its configuration and the document formats it will accept.<br> | ||||
|  <br> | ||||
| <ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul> | ||||
| After sending the request and headers, the client may send additional data. This data is mostly used by CGI programs using the POST method.<br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request. | ||||
| <br/><br/> | ||||
| The user should become familiar with the features of WebGoat by manipulating the above  | ||||
| buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP Zed Attack Proxy for the first time. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,26 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> HttpOnly Test</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| <!-- Start Instructions --> | ||||
| To help mitigate the cross site scripting threat, Microsoft has | ||||
| introduced a new cookie attribute entitled 'HttpOnly.' If this flag is | ||||
| set, then the browser should not allow client-side script to access the | ||||
| cookie. Since the attribute is relatively new, several browsers neglect | ||||
| to handle the new attribute properly. | ||||
| <p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a> | ||||
| <p><b>General Goal(s):</b></p> | ||||
| The purpose of this lesson is to test whether your browser supports the | ||||
| HTTPOnly cookie flag. Note the value of the | ||||
| <strong>unique2u</strong> | ||||
| cookie. If your browser supports HTTPOnly, and you enable it for a | ||||
| cookie, client side code should NOT be able to read OR write to that | ||||
| cookie, but the browser can still send its value to the server. Some | ||||
| browsers only prevent client side read access, but don't prevent write | ||||
| access. | ||||
| <br /> | ||||
| <br /> | ||||
| With the HTTPOnly attribute turned on, type | ||||
| "javascript:alert(document.cookie)" in the browser address bar. Notice | ||||
| all cookies are displayed except the unique2u cookie. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,35 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform HTTP Splitting </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  This lesson teaches how to perform HTTP Splitting attacks. | ||||
|  <br />  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attack works:</b> | ||||
| </p> | ||||
| <p>The attacker passes malicious code to the web server together with normal input.  | ||||
| A victim application will not be checking for CR (carriage return, also given by %0d or \r)  | ||||
| and LF (line feed, also given by %0a or \n) characters. These characters not only give attackers control  | ||||
| of the remaining headers and body of the response the application intends to send,  | ||||
| but they also allows them to create additional responses entirely under their control.</p> | ||||
| <p>The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisoning. The goal of | ||||
| Cache Poisoning attack is to poison the cache of the victim by fooling the cache into believing that the page | ||||
| hijacked using the HTTP splitting is an authentic version of the server's copy.</p> | ||||
| <p>The attack works by using the HTTP Splitting attack plus adding the <b>Last-Modified:</b> header and setting it | ||||
| to a future date. This forces the browser to send an incorrect <b>If-Modified-Since</b> request header on future requests. | ||||
| Because of this, the server will always report that the (poisoned) page has not changed, and the victim's browser | ||||
| will continue to display the attacked version of the page.</p> | ||||
| <p>A sample of a 304 response is: | ||||
| <blockquote>HTTP/1.1 304 Not Modified <br /> | ||||
| Date: Fri, 30 Dec 2005 17:32:47 GMT</blockquote> | ||||
| </p> | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| <p>This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.</p> | ||||
| <p>Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) characters to exploit the attack. Your goal should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage. After stage 2 is exploited successfully, you will find the green check in the left menu.</p> | ||||
| <p>You may find the <a href="http://yehg.net/encoding/">PHP Charset Encoder</a> useful. The Encode and DecodeURIComponent buttons translate CR and LF.</p> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,14 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Insecure Login</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Sensitive data should never sent in plaintext! Often applications  | ||||
| switch to a secure connection after the authorization. An attacker | ||||
| could just sniff the login and use the gathered information to | ||||
| break into an account. A good webapplication always takes care of | ||||
| encrypting sensitive data. | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| See how easy it is to sniff a password in plaintext.<br> | ||||
| Understand the advantages of encrypting the login data! | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,24 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform JSON Injection </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| This lesson teaches how to perform JSON Injection Attacks. | ||||
| <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| JavaScript Object Notation (JSON) is a simple and effective lightweight data exchange format. JSON can be in a lot of forms such as arrays, lists, hashtables and other data structures. | ||||
| JSON is widely used in AJAX and Web2.0 application and is favored by programmers over XML because of its ease of use and speed. | ||||
| However, JSON, like XML is prone to Injection attacks. A malicious attacker can inject the reply from the server and inject some arbitrary values in there. | ||||
|  | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| * You are traveling from Boston, MA- Airport code BOS to Seattle, WA - Airport code SEA.<br>  | ||||
| * Once you enter the three digit code of the airport, an AJAX request will be executed asking for the ticket price.<br> | ||||
| * You will notice that there are two flights available, an expensive one with no stops and another cheaper one with 2 stops.<br> | ||||
| * Your goal is to try to get the one with no stops but for a cheaper price. | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,14 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Bypass Client Side JavaScript Validation </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  | ||||
| Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application. | ||||
|  | ||||
| <br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting. <br> | ||||
| <!-- Start Instructions --> | ||||
| This website performs both client and server side validation.  For this exercise, your job is to break the client side validation and send the  | ||||
|  website input that it wasn't expecting. <b> You must break all 7 validators at the same time. </b> | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,17 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> </p> | ||||
| </div> | ||||
| <!-- Start Instructions --> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <p><b>Standards Addressed:</b> </p> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <p><b>Specific Objectives:</b> </p> | ||||
| <p><b>Required Materials:</b> </p> | ||||
| <p><b>Anticipatory Set (Lead-In):</b> </p> | ||||
| <p><b>Step-By-Step Procedures:</b> </p> | ||||
| <p><b>Plan For Independent Practice:</b> </p> | ||||
| <p><b>Closure (Reflect Anticipatory Set):</b> </p> | ||||
| <p><b>Assessment Based On Objectives:</b> </p> | ||||
| <p><b>Extensions (For Gifted Students):</b> </p> | ||||
| <p><b>Possible Connections To Other Subjects:</b> </p> | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,20 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Log Spoofing. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  This lesson teaches attempts to fool the human eye. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| The attack is based on fooling the humane eye in log files. An attacker can erase his traces from the logs | ||||
| using this attack. | ||||
| </p> | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| * The grey area below represents what is going to be logged in the web server's log file.<br> | ||||
| * Your goal is to make it like a username "admin" has succeeded into logging in.<br/> | ||||
| * Elevate your attack by adding a script to the log file. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,20 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Multi Level Login 1</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| A Multi Level Login should provide a strong authentication.  | ||||
| This is archived by adding a second layer. After having  | ||||
| logged in with your user name and password you are asked | ||||
| for a 'Transaction Authentication Number' (TAN). This is  | ||||
| often used by online banking. You get a list with a lots  | ||||
| of TANs generated only for you by the bank. Each TAN is used only once.  | ||||
| Another method is to provide the TAN by SMS. This has | ||||
| the advantage that an attacker can not get TANs provided | ||||
| by the user. | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| In this Lesson you try to get around the strong authentication.  | ||||
| You have to break into another account. The user name, password and a  | ||||
| already used TAN is provided. You have to make sure | ||||
| the server accept the TAN even it is already used. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,20 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Multi Level Login 2</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| A Multi Level Login should provide a strong authentication.  | ||||
| This is archived by adding a second layer. After having  | ||||
| logged in with your user name and password you are asked | ||||
| for a 'Transaction Authentication Number' (TAN). This is  | ||||
| often used by online banking. You get a list with a lots  | ||||
| of TANs generated only for you by the bank. Each TAN is used only once.  | ||||
| Another method is to provide the TAN by SMS. This has | ||||
| the advantage that an attacker can not get TANs provided | ||||
| by the user. | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| In this lesson you have to try to break into another account.  | ||||
| You have an own account for WebGoat Financial but you want to | ||||
| log into another account only knowing the user name of the victim | ||||
| to attack. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,13 +0,0 @@ | ||||
|  | ||||
| <!-- Start Instructions --> | ||||
| <h1>Create A WebGoat Lesson</h1> | ||||
| <p> | ||||
| Adding lessons to WebGoat is very easy. If you have an idea that would be suitable<br>  | ||||
| for a new lesson, follow these few simple instructions to implement it:<br><br> | ||||
| * Download the source code from <a href="http://code.google.com/p/webgoat/">here.</a><br><br> | ||||
| * Setup framework: follow the simple instructions in "HOW TO create the WebGoat workspace.txt" that comes with the project.<br><br> | ||||
| * You need to add two files for each new lesson: <br> | ||||
|   - YourLesson.java to org.owasp.webgoat.lessons<br> | ||||
|   - YourLesson.html to WebContent/lesson_plans</p> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,11 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Password Strength</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals, numbers and special characters. The longer the password, the better, consider using a passphrase instead. For  | ||||
| more information see: <a href="https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls" target="_blank">OWASP proper password strength</a>.  | ||||
| <!-- Stop Instructions --> | ||||
| <br/><br/> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
|  For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Bypass a Path Based Access Control Scheme </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| In a path based access control scheme, an attacker can traverse a path by providing relative path information. Therefore an attacker can use relative paths to access files that normally are not directly accessible by anyone, or would otherwise be denied if requested directly.  | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to access a file that is not in the listed directory. | ||||
| @ -1,16 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> Phishing with XSS </p> | ||||
|  </div> | ||||
|  <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to validate all input on the server side. | ||||
|  XSS can occur when unvalidated user input is used in an HTTP response.  | ||||
|  With the help of XSS you can do a Phishing Attack and add content to a page | ||||
|  which looks official. It is very hard for a victim to determinate | ||||
|  that the content is malicious. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to add a form asking for username | ||||
| and password. On submit the input should be sent | ||||
| to http://localhost/WebGoat/catcher?PROPERTY=yes &user=catchedUserName&password=catchedPasswordName | ||||
|  | ||||
| @ -1,13 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title: </b>How to Perform Reflected Cross Site Scripting (XSS)</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to validate all input on the server side. | ||||
|  XSS can occur when unvalidated user input is used in an HTTP response.  | ||||
|  In a reflected XSS attack, an attacker can craft a URL with the attack  | ||||
|  script and post it to another website, email it, or otherwise get a  | ||||
|  victim to click on it.  | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad. | ||||
| @ -1,11 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title: </b>How to Force Browser Web Resources</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| Applications will often have an administrative interface that allows privileged users access to functionality that normal users shouldn't see. The application server will often have an admin interface as well.   | ||||
| <p><b>Standards Addressed :</b> </p> | ||||
| <p><b>General Goal(s):</b>  | ||||
| <!-- Start Instructions --> | ||||
| Try to access the administrative interface for WebGoat. You may also try to access the administrative interface for Tomcat.  The Tomcat admin interface can be accessed via a URL (/admin) and will not count towards the completion of this lesson.  | ||||
| <!-- Stop Instructions --> | ||||
| </p> | ||||
| @ -1,15 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> Role Based Access Control</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| In role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow obtain unauthorized roles.   | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Your goal is to explore the access control rules that govern this site. Each role has permission to certain resources (A-F). Each user is assigned one or more roles. Only the user with the [Admin] role should have access to the 'F' resources. In a successful attack, a user doesn't have the [Admin] role can access resource F. | ||||
| <p><b>Lesson Resources:</b> </p> | ||||
| <a href="lessons/RoleBasedAccessControl/images/orgChart.jpg" onclick="makeWindow(this.href, 'Org Chart');return false;" target="orgChartWin">Org Chart</a> | ||||
| <br> | ||||
| <a href="lessons/RoleBasedAccessControl/images/accessControl.jpg" onclick="makeWindow(this.href, 'Access Control Matrix');return false;" target="accessControlWin">Access Control Matrix</a> | ||||
| <br> | ||||
| <a href="lessons/RoleBasedAccessControl/images/dbSchema.jpg" onclick="makeWindow(this.href, 'Access Control Matrix');return false;" target="accessControlWin">Database Schema</a> | ||||
| @ -1,14 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform a SQL Injection </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.  | ||||
| <br><br> | ||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br> | ||||
| <br> | ||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries, even if the threat of SQL injection has been prevented in some other manner.<br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| For this exercise, you will perform SQLInjection attacks. You will also implement code changes in the web application to defeat these attacks.  | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,13 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title: </b>Same Origin Policy Protection</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| A key element of AJAX is the XMLHttpRequest (XHR), which allows javascript to make asynchronous  | ||||
| calls from the client side to a server.  However, as a security measure these requests may  | ||||
| only be made to the server from which the client page originated. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| This exercise demonstrates the Same Origin Policy Protection.  XHR requests  | ||||
| can only be passed back to the originating server.  Attempts to pass data to  | ||||
| a non-originating server will fail."; | ||||
| @ -1,33 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> Session Fixation</p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| How to steal a session with a 'Session Fixation' | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| A user is recognized by the server by an unique Session ID. If a | ||||
| user has logged in and is authorized he does not have to  | ||||
| reauthorize when he revisits the application as the user is recognized | ||||
| by the Session ID. In some applications it is possible to deliver | ||||
| the Session ID in the Get-Request. Here is where the attack starts. | ||||
| <br><br> | ||||
| An attacker can send a hyperlink to a victim with a chosen Session ID. | ||||
| This can be done for example by a prepared mail which looks like an  | ||||
| official mail from the application administrator. | ||||
| If the victim clicks on the link and logs in he is authorized | ||||
| by the Session ID the attacker has chosen. The attacker | ||||
| can visit the page with the same ID and is recognized as the victim and | ||||
| gets logged in without authorization. | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| This lesson has several stages. You play the attacker but also the victim. | ||||
| After having done this lesson it should be understood how | ||||
| a Session Fixation in general works. It should be also understood that | ||||
| it is a bad idea to use the Get-Request for Session IDs. | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,24 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Silent Transactions Attacks. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| This lesson teaches how to perform silent transactions attacks. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| Any system that silently processes transactions using a single submission is dangerous to the client.  | ||||
| For example, if a normal web application allows a simple URL submission, a preset session attack will  | ||||
| allow the attacker to complete a transaction without the user<65>s authorization.  | ||||
| In Ajax, it gets worse: the transaction is silent; it happens with no user feedback on the page,  | ||||
| so an injected attack script may be able to steal money from the client without authorization.<br> | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| * This is a sample internet banking application - money transfer page.<br> | ||||
| * It shows below your balance, the account you are transferring to and amount you will transfer.<br> | ||||
| * The application uses AJAX to submit the transaction after doing some basic client side validations.<br> | ||||
| * Your goal is to try to bypass the user's authorization and silently execute the transaction.<br> | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Create a SOAP Request</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL). Let's learn something about WSDL files. Check out WebGoat's web service description language (WSDL) file.  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Try connecting to the WSDL with a browser or Web Service tool. The URL for the web service is: http://localhost/WebGoat/services/SoapRequest The WSDL can usually be viewed by adding a ?WSDL on the end of the web service request. You must access 2 of the operations to pass this lesson. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,14 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Numeric SQL Injection </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.  | ||||
| <br><br> | ||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br> | ||||
| <br> | ||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The form below allows a user to view weather data. Try to inject an SQL string that results in all the weather data being displayed. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,14 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform String SQL Injection </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.  | ||||
| <br><br> | ||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br> | ||||
| <br> | ||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The form below allows a user to view their credit card numbers. Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of 'Smith'. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Stored Cross Site Scripting (XSS) </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to scrub all input, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere in the application. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to add message content that cause another user to load an undesireable page or content. | ||||
| @ -1,22 +0,0 @@ | ||||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> | ||||
| <html> | ||||
| <head> | ||||
|                 | ||||
|   <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> | ||||
|   <title>Lesson Plan</title> | ||||
| </head> | ||||
|   <body> | ||||
|   | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Exploit Thread Safety Problems </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  Web applications can handle many HTTP requests simultaneously.  Developers often use variables that are not thread safe.  Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time. Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently. <br> | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to exploit the concurrency error in the web application and view login information for another user that is attempting the same function at the same time.  <b>This will require the use of two browsers</b>.  | ||||
| <br> | ||||
| </body> | ||||
| </html> | ||||
| @ -1,80 +0,0 @@ | ||||
| <!-- Start Instructions --> | ||||
| <h1>How To Configure Tomcat</h1><br><br> | ||||
| <h2>Introduction</h2> | ||||
| <p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations | ||||
| and other possible configurations for Tomcat. This is just  | ||||
| a short description which should be enough in most cases. For more advanced tasks please  | ||||
| refer to the Tomcat documentation. Please note that all solutions | ||||
| are written for the standard configurations on port 80 or 8080. If you use another port you have  | ||||
| to adjust the solution to your configuration.</p> | ||||
|  | ||||
| <h2>The Standard Configurations</h2> | ||||
| <p>WebGoat has multiple ways of being run. The <a href="https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0)"> | ||||
| WebGoat Wiki</a> is the best place to find the latest configuration instructions.  | ||||
| By default WebGoat will run on port 8080. In the basic configurations you use the server on your localhost.    | ||||
| In Linux you have to start WebGoat as root or with sudo if you want to run it on port 80 and | ||||
| 	443. Running software as root is dangerous we strongly advice to use | ||||
| the port 8080 and 8443.  | ||||
| </p> | ||||
|  | ||||
| <h2>Server Configurations</h2> | ||||
| <p> | ||||
| If you are a single user of WebGoat the standard configurations should be | ||||
| enough but if you want to use WebGoat in laboratory or in class there | ||||
| might be the need to change the configurations. Before changing | ||||
| the configurations we recommend doing a backup of the files you change. | ||||
| </p> | ||||
|  | ||||
| <h3>Change Ports</h3> | ||||
| <p> | ||||
| To change the ports open Tomcat's server.xml which you find in tomcat/conf and change the  | ||||
| non-SSL port.  If you want to change your  | ||||
| Tomcat server to use it on port 8079 for example: | ||||
| </p> | ||||
|  | ||||
| <pre> | ||||
| <!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->  | ||||
| <Connector address="127.0.0.1" port="8079"... | ||||
| </pre> | ||||
| <p> | ||||
| You can also change the SSL connector to another port of course. | ||||
| In this example to port 8442: | ||||
| </p> | ||||
| <pre> | ||||
| <!-- Define a SSL HTTP/1.1 Connector on port 8442 -->  | ||||
| <Connector address="127.0.0.1" port="8442"...  | ||||
| </pre> | ||||
| </p> | ||||
| You can also modify WebGoat's pom.xml file to change the port.  You will need to modify | ||||
| the tomcat7-maven-plugin plugin configuration. | ||||
| </p> | ||||
| <br> | ||||
|  | ||||
| <h3>Make WebGoat Reachable From Another Client</h3> | ||||
| <p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS | ||||
| 	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN  | ||||
| SAFE NETWORKS!</p> | ||||
| <p>By its default configuration, WebGoat is only | ||||
| reachable within the localhost. In a laboratory or a class | ||||
| there is maybe the need of having a server and a few clients.  | ||||
| In this case it is possible to make WebGoat reachable. | ||||
| </p> | ||||
|  | ||||
| <h3>Permit Only Certain Client Connection</h3> | ||||
| <p> | ||||
| If you have made WebGoat reachable it is reachable for | ||||
| all clients. If you want to make it reachable only for certain clients specified | ||||
| by their IP you can archive this by using a 'Remote Address Filter'. | ||||
| The filter can be set in a whitebox or blackbox approach. Here is | ||||
| only discussed the whitebox approach. You have to add following lines to the  | ||||
| Host section of server.xml in your Tomcat server configuration: | ||||
| </p> | ||||
| <pre> | ||||
| 	<Valve className="org.apache.catalina.valves.RemoteAddrValve" | ||||
| 	allow="127.0.0.1,ip1,ip2"/> | ||||
| </pre> | ||||
| <p>In this case only localhost, ip1 and ip2 are permitted to connect.</p> | ||||
|  | ||||
|  | ||||
|  | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Cross Site Tracing (XST) Attacks </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to scrub all input, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere in the application. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved. | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Tomcat is configured to support the HTTP TRACE command. Your goal is to perform a Cross Site Tracing (XST) attack. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Exploit Unchecked Email </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| It is always a good practice to validate all inputs.  Most sites allow non-authenticated users to send email to a 'friend'. This is a great mechanism for spammers to send out email using your corporate mail server. | ||||
| <!-- Stop Instructions --> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| The user should be able to send and obnoxious email message. | ||||
| @ -1,41 +0,0 @@ | ||||
|  | ||||
| <!-- Start Instructions --> | ||||
| <h1>Useful Tools</h1> | ||||
| <p> | ||||
| Below is a list of tools we've found useful in solving the WebGoat lessons. You will need a proxy like OWASP ZAP or Paros to solve most of the lessons. </p> | ||||
| <h2>OWASP ZAP:</h2> | ||||
| <p> | ||||
| Like WebGoat, Zed Attack Proxy (ZAP) is a part of OWASP and is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. | ||||
| It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. | ||||
| ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually..<br><br> | ||||
| <img src="images/introduction/UsefulTools-ZAP.png"><br><br> | ||||
| Webpage: <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a> | ||||
| <br>The .jar install file can be found at the <a href="http://code.google.com/p/zaproxy/wiki/Downloads?tm=2">OWASP ZAP Google Code Project</a></p> | ||||
| <p>After installing ZAP and configuring your browser to use it as a proxy on localhost we can start. To intercept a request,   | ||||
| click the green arrow icon turning it red. If we browse a WebGoat page, ZAP will intercept the HTTP request. | ||||
| Here we can read and edit the intercepted parameters and headers. After editing is complete press the play icon to submit the request to the server.<br> | ||||
| <img src="images/introduction/UsefulTools-ZAP_1.png"><br><br> | ||||
| </p> | ||||
| <h2>Modern Browsers:</h2> | ||||
| <p> | ||||
| Most modern browser have developer tools that will allow you to inspect and modify request data. | ||||
| <br><br> | ||||
|  | ||||
| <h2>Wireshark</h2> | ||||
| <p> | ||||
| Wireshark is a network protocol analyzer. You can sniff network traffic and gather useful | ||||
| informations this way.<br><br> | ||||
| <img src="images/introduction/wireshark.png"><br><br> | ||||
| Webpage:<a href="http://www.wireshark.org" target="_blank">http://www.wireshark.org</a> | ||||
|  | ||||
| </p> | ||||
|  | ||||
| <h2>Scanners (Attacking Proxies):</h2> | ||||
| <p> | ||||
| There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to three open source scanners. <br><br> | ||||
| Nessus:<a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a><br> | ||||
| Paros:<a href="http://www.parosproxy.org" target="_blank">http://www.parosproxy.org</a><br> | ||||
| OWASP ZAP:<a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project" target="_blank">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a><br> | ||||
| </p> | ||||
| <!-- Stop Instructions --> | ||||
| <br> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform WSDL Scanning</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| This screen is the API for a web service. Check the WSDL file for this web service and try to get some customer credit numbers. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,12 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Spoof an Authentication Cookie </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  | ||||
| Many applications will automatically log a user into their site if the right authentication cookie is specified.   Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained.  Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability.  Some times the cookies maybe intercepted using Cross site scripting.  This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.<br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
|  The user should be able to bypass the authentication check. | ||||
| Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Hijack a Session</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks. | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Try to access an authenticated session belonging to someone else. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,16 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:Welcome</b> </p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| This lesson presents the basics for understanding the transfer of data between the browser and the web application. | ||||
| <p><b>Standards Addressed:</b> </p> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <p><b>Specific Objectives:</b> </p> | ||||
| <p><b>Required Materials:</b> </p> | ||||
| <p><b>Anticipatory Set (Lead-In):</b> </p> | ||||
| <p><b>Step-By-Step Procedures:</b> </p> | ||||
| <p><b>Plan For Independent Practice:</b> </p> | ||||
| <p><b>Closure (Reflect Anticipatory Set):</b> </p> | ||||
| <p><b>Assessment Based On Objectives:</b> </p> | ||||
| <p><b>Extensions (For Gifted Students):</b> </p> | ||||
| <p><b>Possible Connections To Other Subjects:</b> </p> | ||||
| @ -1,12 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Web Service SAX Injection</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends. | ||||
| <br/> | ||||
| <br> | ||||
| In this exercise, try to change the password for a user other than 101. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,9 +0,0 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Perform Web Service SQL Injection</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Check the web service description language (WSDL) file and try to obtain multiple customer credit card numbers. You will not see the results returned to this screen. When you believe you have suceeded, refresh the page and look for the 'green star'. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,19 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform XML Injection Attacks. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  This lesson teaches how to perform XML Injection attacks. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| AJAX applications use XML to exchange information with the server. This XML can be easily intercepted and altered by a malicious attacker. | ||||
|  | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| WebGoat-Miles Reward Miles shows all the rewards available. Once you've entered your account ID, the lesson will show you your balance and the products you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239. | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -1,22 +0,0 @@ | ||||
| <div align="Center">  | ||||
| <p><b>Lesson Plan Title:</b> How to Perform XPATH Injection Attacks. </p> | ||||
|  </div> | ||||
|   | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
|  This lesson teaches how to perform XPath Injection attacks. | ||||
|  <br>  | ||||
| <div align="Left">  | ||||
| <p> | ||||
| <b>How the attacks works:</b> | ||||
| </p> | ||||
| Similar to SQL Injection, XPATH Injection attacks occur when a web site uses user supplied information to query XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to. | ||||
| They may even be able to elevate their privileges on the web site if the xml data is being used for authentication (such as an xml based user file).  | ||||
|  | ||||
| Querying XML is done with XPath, a type of simple descriptive statement that allows the xml query to locate a piece of information. Like SQL you can specify certain attributes to find and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data.  | ||||
|  | ||||
|  | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| The form below allows employees to see all their personal data including their salaries. Your account is Mike/test123. Your goal is to try to see other employees data as well. | ||||
| <!-- Stop Instructions --> | ||||
| @ -21,6 +21,6 @@ In this way, the attacker can make the victim perform actions that they didn't i | ||||
| </div> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu. | ||||
| Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/><b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
|  | ||||
| @ -27,6 +27,7 @@ parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the sh | ||||
| left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever  | ||||
| receives this email and happens to be authenticated at that time will have his funds transferred.  | ||||
| When you think the attack is successful, refresh the page and you will find the green check on  | ||||
| the left hand side menu. | ||||
| the left hand side menu.<br/> | ||||
| <b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
|  | ||||
| @ -31,7 +31,8 @@ request to transfer funds.  To successfully complete you need to obtain a valid | ||||
| The page that presents the transfer funds form contains a valid request token.  The URL for the  | ||||
| transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load  | ||||
| this page, read the token and append the token in a forged request to transferFunds. When you think | ||||
| the attack is successful, refresh the page and you will find the green check on the left hand side menu. | ||||
| the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/> | ||||
| <b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
|  | ||||
|  | ||||
| @ -1,49 +1,68 @@ | ||||
| <!-- Start Instructions --> | ||||
| <h1>How To Work With WebGoat</h1> | ||||
| <p> | ||||
| Welcome to a short introduction to WebGoat.<br>  | ||||
| Here you will learn how to use WebGoat and additional tools for the lessons.<br><br> | ||||
| Welcome to a brief overview of WebGoat.<br>  | ||||
| </p> | ||||
| <h2>Environment Information</h2> | ||||
| <p> | ||||
| WebGoat uses the Apache Tomcat server. It is configured to run on localhost although this can be | ||||
| easily changed. This | ||||
| configuration is for single user, additional users can be added in the tomcat-users.xml file.  | ||||
| If you want to use WebGoat in a laboratory or in  | ||||
| class you might need to change this setup. Please refer to the Tomcat Configuration  | ||||
| in the Introduction section.</p> | ||||
| WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on  | ||||
| localhost although this can be easily changed, see the "Tomcat Configuration" section in the Introduction. </p> | ||||
|  | ||||
| <h2>The WebGoat Interface</h2> | ||||
| <p> | ||||
| <img src="images/introduction/interface.jpg"><br><br> | ||||
| 1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.<br> | ||||
| 2. This will show technical hints to solve the lesson.<br> | ||||
| 3. This will show the HTTP Request Parameters<br> | ||||
| 4. This will show the HTTP Request Cookies<br> | ||||
| 5. This will show goals and objectives of the lesson.<br> | ||||
| 6. This will show the underlying Java source code.<br> | ||||
| 7. This will show the complete solution of the selected lesson.<br> | ||||
| 8. If you want to restart a lesson you can use this link.</p> | ||||
| <img src="images/introduction/interface.png"><br><br> | ||||
| 1. Lesson Categories in WebGoat. Click on a Category to see specific Lessons.<br> | ||||
| 2. This will show the underlying Java source code.<br> | ||||
| 3. This will show the complete solution of the selected lesson.<br> | ||||
| 4. This will show goals and objectives of the lesson.<br> | ||||
| 5. This will show technical hints to solve the lesson.<br> | ||||
| 6. This shows the HTTP request data<br> | ||||
| 7. If you want to restart a lesson you can use this link.</p> | ||||
| <h2>Solve The Lesson</h2> | ||||
| <p> | ||||
| Always start with the lessons plan. Then try to solve the lesson and if necessary,  | ||||
| Always start with the lesson plan. Then try to solve the lesson and if necessary,  | ||||
| use the hints. The last hint is the solution text if applicable.  If you cannot solve the lesson using the hints, you may view the  | ||||
| solution for complete details.</p> | ||||
| <h2>Read And Edit Parameters</h2> | ||||
|  | ||||
| <h2>Read And Edit Parameters/Cookies</h2> | ||||
| <p> | ||||
| To read and edit Parameters you need a local proxy to intercept the HTTP request.  | ||||
| Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter. | ||||
| After installing WebScarab and configuring your browser to use it as proxy on localhost we can start.<br><br> | ||||
| <img src="images/introduction/HowToUse_1.jpg"><br><br> | ||||
| We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br> | ||||
| <img src="images/introduction/HowToUse_2.jpg"><br><br> | ||||
| Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server. | ||||
| To read and edit parameters and cookies you need a local proxy like OWASP ZAP to intercept the HTTP request. | ||||
|  More information on ZAP can be found in the "Useful Tools" section in the Introduction. | ||||
| </p> | ||||
| <h2>Read And Edit Cookies</h2> | ||||
|  | ||||
| <h2>Configuring new WebGoat users</h2> | ||||
| <p> | ||||
| Often it is not only necessary to change the value of the parameters but to change the value of cookies.  | ||||
| We can use WebScarab to intercept the request and change cookies values just like parameter data as explained in the last topic.<br><br> | ||||
| <img src="images/introduction/HowToUse_3.jpg"><br><br> | ||||
| We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them. | ||||
| WebGoat uses spring-security.xml to configure users. | ||||
| <br/> | ||||
|   <pre> | ||||
| <!-- Authentication Manager --> | ||||
| <authentication-manager alias="authenticationManager"> | ||||
|   <authentication-provider> | ||||
|     <user-service> | ||||
|       <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /> | ||||
|       <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /> | ||||
|       <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /> | ||||
|     </user-service> | ||||
|   </authentication-provider> | ||||
| </authentication-manager>   | ||||
|   </pre> | ||||
| </p> | ||||
| <h2>Adding Users</h2> | ||||
| <p> | ||||
| Usually WebGoat only requires logging in with the user:guest and password:guest. | ||||
|  But maybe in laboratory you have made a setup with one server and a lot of | ||||
| clients. In this case you might want to have a user for every client, | ||||
|  you will have to alter /WEB-INF/spring-security.xml to add additional users. <b>We recommend not to use real passwords  | ||||
| as the passwords are stored in plain text in this file!</b> | ||||
| </p> | ||||
| <h3>Adding a new User</h3> | ||||
| <p> | ||||
| Adding a user is straight forward. You can use the guest entry as an example. The added | ||||
| users should have the same role as the guest user. The new user/password will not show on the login page.  | ||||
| Add lines like this to the /WEB-INF/spring-security.xml file: | ||||
| </p> | ||||
| <pre> | ||||
| <user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /> | ||||
| ... | ||||
| </pre> | ||||
| <!-- Stop Instructions --> | ||||
|  | ||||
| @ -8,7 +8,7 @@ | ||||
| <p> | ||||
| <b>How HTTP works:</b> | ||||
| </p> | ||||
| All HTTP transactions follow the same general format. Each client request and server response has three parts:  the request or response line, a header section, and the entity body. The client initiates a transaction as follows: <br> | ||||
| All HTTP transactions follow the same general format. Each client request and server response has three parts: the request or response line, a header section and the entity body. The client initiates a transaction as follows: <br> | ||||
| <br> | ||||
|  The client contacts the server and sends a document request <br> | ||||
| </div> | ||||
| @ -20,8 +20,8 @@ All HTTP transactions follow the same general format. Each client request and se | ||||
| After sending the request and headers, the client may send additional data. This data is mostly used by CGI programs using the POST method.<br> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Enter your name in the input field below and press "go" to submit. The server will accept the request, reverse the input, and display it back to the user, illustrating the basics of handling an HTTP request. | ||||
| Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request. | ||||
| <br/><br/> | ||||
| The user should become familiar with the features of WebGoat by manipulating the above  | ||||
| buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using WebScarab for the first time. | ||||
| buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP Zed Attack Proxy for the first time. | ||||
| <!-- Stop Instructions --> | ||||
| @ -1,21 +1,21 @@ | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Exploit "Off-by-One" Buffer Overflow Vulnerabilities</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| How to Exploit a Web Based "Off-by-One" Buffer Overflow. | ||||
| <br> | ||||
| <div align="Left"> | ||||
| <p><b>How the attack works:</b> | ||||
| </p> | ||||
| Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language.  | ||||
| 
 | ||||
| For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte.  | ||||
| 
 | ||||
| As a result, further information is returned back to the user, due to the fact that no null byte was found. | ||||
| </div> | ||||
| <p><b>Lesson Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| <p>Welcome to the <b>OWASP Hotel</b>! Can you find out which room a VIP guest is staying in?</p> | ||||
| <!-- Stop Instructions --> | ||||
| * Understand how a buffer overflow vulnerability can be triggered on a web application.<br> | ||||
| <div align="Center"> | ||||
| <p><b>Lesson Plan Title:</b> How to Exploit "Off-by-One" Buffer Overflow Vulnerabilities</p> | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b></p> | ||||
| How to Exploit a Web Based "Off-by-One" Buffer Overflow. | ||||
| <br> | ||||
| <div align="Left"> | ||||
| <p><b>How the attack works:</b> | ||||
| </p> | ||||
| Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language.  | ||||
| 
 | ||||
| For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte.  | ||||
| 
 | ||||
| As a result, further information is returned back to the user, due to the fact that no null byte was found. | ||||
| </div> | ||||
| <p><b>Lesson Goal(s):</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| <p>Welcome to the <b>OWASP Hotel</b>! Can you find out which room a VIP guest is staying in?</p> | ||||
| <!-- Stop Instructions --> | ||||
| * Understand how a buffer overflow vulnerability can be triggered on a web application.<br> | ||||
| * Understand what type of value lengths are likely to trigger a buffer overflow.<br> | ||||
| @ -3,8 +3,9 @@ | ||||
| </div> | ||||
| <p><b>Concept / Topic To Teach:</b> </p> | ||||
| <!-- Start Instructions --> | ||||
| Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the sbetter. | ||||
| Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals, numbers and special characters. The longer the password, the better, consider using a passphrase instead. For  | ||||
| more information see: <a href="https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls" target="_blank">OWASP proper password strength</a>.  | ||||
| <!-- Stop Instructions --> | ||||
| <br> | ||||
| <br/><br/> | ||||
| <p><b>General Goal(s):</b> </p> | ||||
|  For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a> | ||||
| @ -5,5 +5,5 @@ | ||||
| <!-- Start Instructions --> | ||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL). Let's learn something about WSDL files. Check out WebGoat's web service description language (WSDL) file.  | ||||
| <p><b>General Goal(s):</b> </p> | ||||
| Try connecting to the WSDL with a browser or Web Service tool. The URL for the web service is: http://localhost/WebGoat/services/SoapRequest The WSDL can usually be viewed by adding a ?WSDL on the end of the web service request. | ||||
| Try connecting to the WSDL with a browser or Web Service tool. The URL for the web service is: http://localhost/WebGoat/services/SoapRequest The WSDL can usually be viewed by adding a ?WSDL on the end of the web service request. You must access 2 of the operations to pass this lesson. | ||||
| <!-- Stop Instructions --> | ||||
| @ -5,20 +5,16 @@ | ||||
| and other possible configurations for Tomcat. This is just  | ||||
| a short description which should be enough in most cases. For more advanced tasks please  | ||||
| refer to the Tomcat documentation. Please note that all solutions | ||||
| are written for the standard configurations on port 80. If you use another port you have  | ||||
| are written for the standard configurations on port 80 or 8080. If you use another port you have  | ||||
| to adjust the solution to your configuration.</p> | ||||
|  | ||||
| <h2>The Standard Configurations</h2> | ||||
| <p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost. | ||||
| 	Both are identically with the only difference | ||||
| 	that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have | ||||
| 	to start WebGoat as root or with sudo if you want to run it on port 80 and | ||||
| 	443. | ||||
| 	As running software as root is dangerous we strongly advice to use | ||||
| the port 8080 and 8443. In Windows you can | ||||
| run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you | ||||
| can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these | ||||
| configurations is guest with password guest | ||||
| <p>WebGoat has multiple ways of being run. The <a href="https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0)"> | ||||
| WebGoat Wiki</a> is the best place to find the latest configuration instructions.  | ||||
| By default WebGoat will run on port 8080. In the basic configurations you use the server on your localhost.    | ||||
| In Linux you have to start WebGoat as root or with sudo if you want to run it on port 80 and | ||||
| 	443. Running software as root is dangerous we strongly advice to use | ||||
| the port 8080 and 8443.  | ||||
| </p> | ||||
|  | ||||
| <h2>Server Configurations</h2> | ||||
| @ -31,46 +27,47 @@ the configurations we recommend doing a backup of the files you change. | ||||
|  | ||||
| <h3>Change Ports</h3> | ||||
| <p> | ||||
| To change the ports open the server_80.xml which you find in tomcat/conf and change the  | ||||
| non-SSL port. If you want to use it on port 8079 for example: | ||||
| To change the ports open Tomcat's server.xml which you find in tomcat/conf and change the  | ||||
| non-SSL port.  If you want to change your  | ||||
| Tomcat server to use it on port 8079 for example: | ||||
| </p> | ||||
|  | ||||
| <pre> | ||||
| 	<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->  | ||||
| 	<Connector address="127.0.0.1" port="8079"... | ||||
| <!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->  | ||||
| <Connector address="127.0.0.1" port="8079"... | ||||
| </pre> | ||||
| <p> | ||||
| You can also change the SSL connector to another port of course. | ||||
| In this example to port 8442: | ||||
| </p> | ||||
| <pre> | ||||
| 	<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->  | ||||
| 	<Connector address="127.0.0.1" port="8442"...  | ||||
| <!-- Define a SSL HTTP/1.1 Connector on port 8442 -->  | ||||
| <Connector address="127.0.0.1" port="8442"...  | ||||
| </pre> | ||||
| </p> | ||||
| You can also modify WebGoat's pom.xml file to change the port.  You will need to modify | ||||
| the tomcat7-maven-plugin plugin configuration. | ||||
| </p> | ||||
| <br> | ||||
|  | ||||
| <h3>Make WebGoat Reachable From Another Client</h3> | ||||
| <p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS | ||||
| 	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN  | ||||
| SAFE NETWORKS!</p> | ||||
| <p>By its default configurations WebGoat is only | ||||
| <p>By its default configuration, WebGoat is only | ||||
| reachable within the localhost. In a laboratory or a class | ||||
| there is maybe the need of having a server and a few clients.  | ||||
| In this case it is possible to make WebGoat reachable. | ||||
| </p> | ||||
| <p>The reason why WebGoat is only reachable within the localhost is | ||||
| the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set | ||||
| to 127.0.0.1. The applications only listens on the port of this address for | ||||
| incoming connections if it is set. If you remove this parameter the server listens on all IPs on the | ||||
| specific port.</p> | ||||
|  | ||||
| <h3>Permit Only Certain Clients Connection</h3> | ||||
| <h3>Permit Only Certain Client Connection</h3> | ||||
| <p> | ||||
| If you have made WebGoat reachable it is reachable for | ||||
| all clients. If you want to make it reachable only for certain clients specified | ||||
| by there IP you can archive this by using a 'Remote Address Filter'. | ||||
| by their IP you can archive this by using a 'Remote Address Filter'. | ||||
| The filter can be set in a whitebox or blackbox approach. Here is | ||||
| only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml: | ||||
| only discussed the whitebox approach. You have to add following lines to the  | ||||
| Host section of server.xml in your Tomcat server configuration: | ||||
| </p> | ||||
| <pre> | ||||
| 	<Valve className="org.apache.catalina.valves.RemoteAddrValve" | ||||
| @ -78,37 +75,6 @@ only discussed the whitebox approach. You have to add following lines to the Hos | ||||
| </pre> | ||||
| <p>In this case only localhost, ip1 and ip2 are permitted to connect.</p> | ||||
|  | ||||
| <h2>WebGoat Default Users and Roles for Tomcat</h2> | ||||
| <p> | ||||
| WebGoat requires the following users and roles to be configured in order for the application to run. | ||||
| <br/> | ||||
|   <pre> | ||||
|   >role rolename="webgoat_basic"/< | ||||
|   >role rolename="webgoat_admin"/< | ||||
|   >role rolename="webgoat_user"/< | ||||
|   >user username="webgoat" password="webgoat" roles="webgoat_admin"/< | ||||
|   >user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/< | ||||
|   >user username="guest" password="guest" roles="webgoat_user"/< | ||||
|   </pre> | ||||
| </p> | ||||
| <h2>Adding Users</h2> | ||||
| <p> | ||||
| Usually using WebGoat you just use the user guest with the password guest. | ||||
| But maybe in laboratory you have made a setup with one server and a lot of | ||||
| clients. In this case you might want to have a user for every client | ||||
|  and you have to alter tomcat-users.xml  | ||||
| in tomcat/conf as the users are stored there. <b>We recommend not to use real passwords  | ||||
| as the passwords are stored in plain text in this file!</b> | ||||
| </p> | ||||
| <h3>Add User</h3> | ||||
| <p> | ||||
| Adding a user is straight forward. You can use the guest entry as an example. The added | ||||
| users should have the same role as the guest user. Add lines like this to the file: | ||||
| </p> | ||||
| <pre> | ||||
| 	<user name="student1" password="password1" roles="webgoat_user"/> | ||||
| 	<user name="student2" password="password2" roles="webgoat_user"/> | ||||
| 	... | ||||
| </pre> | ||||
|  | ||||
|  | ||||
| <!-- Stop Instructions --> | ||||
| @ -151,7 +151,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||
| 					</td> | ||||
|                       <td width="190"> </td> | ||||
|                       <td width="76"> | ||||
| 						<form method="POST"> | ||||
| 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||
| 							<input type="submit" name="action" value="<%=CrossSiteScripting.LOGOUT_ACTION%>"/> | ||||
| 						</form> | ||||
| 					</td> | ||||
|  | ||||
| @ -1,139 +1,100 @@ | ||||
| <%@ page contentType="text/html; charset=ISO-8859-1" language="java" | ||||
| 	errorPage=""%> | ||||
| <%@page import="org.owasp.webgoat.session.WebSession"%> | ||||
| <% | ||||
| WebSession webSession = ((WebSession) session.getAttribute("websession")); | ||||
| %> | ||||
|          errorPage=""%> | ||||
|  | ||||
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | ||||
| <html xmlns="http://www.w3.org/1999/xhtml"> | ||||
| <head> | ||||
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> | ||||
| <title>WebGoat V5.4</title> | ||||
| <link rel="stylesheet" href="css/webgoat.css" type="text/css" /> | ||||
| <link rel="stylesheet" href="css/webgoat_challenge.css" type="text/css" /> | ||||
| </head> | ||||
| <!-- This modal content is included into the main_new.jsp --> | ||||
|  | ||||
| <body> | ||||
| <div class="modal-content"> | ||||
|     <div class="modal-header">        | ||||
|         <h3 class="modal-title" id="myModalLabel">About WebGoat - Provided by the OWASP Foundation</h3> | ||||
|     </div> | ||||
|     <div class="modal-body modal-scroll"> | ||||
|         <p>Thanks for hacking The Goat!</p>  | ||||
|         <p>WebGoat is a demonstration of common web application flaws. The | ||||
|             associated exercises are intended to provide hands-on experience with | ||||
|             techniques aimed at demonstrating and testing application penetration. | ||||
|         </p> | ||||
|         <p>From the entire WebGoat team, we appreciate your interest and efforts | ||||
|             in making applications not just better, but safer and more secure for | ||||
|             everyone. We, as well as our sacrificial goat, thank you.</p> | ||||
|         <p> | ||||
|             Version: ${version}, Build: ${build} | ||||
|         </p> | ||||
|  | ||||
| <div id="wrap_ch"> | ||||
| <div id="top_ch"></div> | ||||
| <div id="start_ch"> | ||||
| <p>Thank you for using WebGoat! This program is a demonstration of common web application flaws. | ||||
| The exercises are intended to provide hands on experience with | ||||
| application penetration testing techniques. </p> | ||||
| <p>The WebGoat project is led | ||||
| by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p> | ||||
|  | ||||
| <div id="team_ch"> | ||||
| <table border="0" align="center" class="lessonText"> | ||||
| 	<tr> | ||||
| 		<td width="50%"> | ||||
| 		<div align="center"><a href="http://www.owasp.org"><img | ||||
| 			border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation" | ||||
| 			longdesc="http://www.owasp.org" /></a></div> | ||||
| 		</td> | ||||
| 		<td width="50%"> | ||||
| 		<div align="center"><a href="http://www.aspectsecurity.com"><img | ||||
| 			border="0" src="images/logos/aspect.jpg" alt="Aspect Security" | ||||
| 			longdesc="http://www.aspectsecurity.com" /></a></div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td colspan="2"> | ||||
| 		<div align="center"><span class="style1"> | ||||
| 		WebGoat Authors </span></div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td colspan="2"> | ||||
| 		<div align="center"><span class="style2"> | ||||
| 		Bruce Mayhew </span></div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td colspan="2"> | ||||
| 		<div align="center"><span class="style2"> | ||||
| 		Jeff Williams </span></div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td width="50%"> | ||||
| 		<div align="center"><span class="style1"><br /> | ||||
| 		WebGoat Design Team </span></div> | ||||
| 		</td> | ||||
| 		<td width="50%"> | ||||
| 		<div align="center"><span class="style1"><br /> | ||||
| 		V5.4 Lesson Contributers </span></div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td valign="top"> | ||||
| 		<div align="center" class="style2">David Anderson</div> | ||||
| 		<div align="center" class="style2">Laurence Casey (Graphics)</div> | ||||
| 		<div align="center" class="style2">Rogan Dawes</div> | ||||
| 		<div align="center" class="style2">Bruce Mayhew</div> | ||||
| 		</td> | ||||
| 		<td valign="top"> | ||||
| 		<div align="center" class="style2">Sherif Koussa</div> | ||||
| 		<div align="center" class="style2">Yiannis Pavlosoglou</div> | ||||
| 		<div align="center" class="style2"></div> | ||||
|  | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td height="25" valign="bottom"> | ||||
| 		<div align="center"><span class="style1">Special Thanks | ||||
| 		for V5.4</span></div> | ||||
| 		</td> | ||||
| 		<td height="25" valign="bottom"> | ||||
| 		<div align="center"><span class="style1">Documentation | ||||
| 		Contributers</span></div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td> | ||||
| 		<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div> | ||||
| 		<div align="center" class="style2">To all who have sent comments</div> | ||||
| 		 | ||||
| 		</td> | ||||
| 		<td> | ||||
| 		<div align="center" class="style2"> | ||||
| 		<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div> | ||||
| 		<div align="center" class="style2"> | ||||
| 		<a href="http://yehg.org/" target="_blank">Aung Khant</a></div> | ||||
| 		<div align="center" class="style2"> | ||||
| 			<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a> | ||||
| 		</div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td colspan="2"> | ||||
| 		<div align="center" class="style2"> | ||||
| 		<form id="form" name="form" method="post" action="attack"><input | ||||
| 			type="submit" name="start" value="Start WebGoat" /></form> | ||||
| 		</div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| 	<tr> | ||||
| 		<td> | ||||
| 		<div align="center" class="style2"> </div> | ||||
| 		</td> | ||||
| 	</tr> | ||||
| </table> | ||||
|         <div class="row"> | ||||
|             <div class="col-md-6"> | ||||
|                 <p>Contact us: | ||||
|                 <ul> | ||||
|                     <li>WebGoat mailing list: ${emailList}</li> | ||||
|                     <li>Bruce Mayhew:  ${contactEmail}</li> | ||||
|                 </ul> | ||||
|                 </p> | ||||
|             </div> | ||||
|         </div>        | ||||
|         <div class="row"> | ||||
|             <div class="col-md-6"> | ||||
|                 <p>WebGoat Authors | ||||
|                 <ul> | ||||
|                     <li>Bruce Mayhew (Project Lead)</li> | ||||
|                     <li>Jeff Williams (Original Idea)</li> | ||||
|                     <li>Richard Lawson (Architect)</li> | ||||
|                     <li>Jason White (Architect)</li> | ||||
|                 </ul> | ||||
|                 </p> | ||||
|             </div> | ||||
|             <div class="col-md-6"> | ||||
|                 <p>WebGoat Design Team | ||||
|                 <ul> | ||||
|                     <li>Richard Lawson</li> | ||||
|                     <li>Bruce Mayhew</li> | ||||
|                     <li>Jason White</li> | ||||
|                     <li>Ali Looney (User Interface)</li> | ||||
|                     <li>Jeff Wayman (Website and Docs)</li> | ||||
|                 </ul> | ||||
|                 </p> | ||||
|             </div> | ||||
|         </div> | ||||
|         <div class="row"> | ||||
|             <div class="col-md-6"> | ||||
|                 <p>Active Contributors | ||||
|                 <ul> | ||||
|                     <li>Nanne Baars (Developer)</li> | ||||
|                     <li>Dave Cowden (Everything)</li> | ||||
|                     <li>Keith Gasser (Survey/Security)</li> | ||||
|                     <li>Devin Mayhew (Setup/Admin)</li> | ||||
|                     <li>Li Simon (Developer)</li> | ||||
|                 </ul> | ||||
|                 </p> | ||||
|             </div> | ||||
|             <div class="col-md-6"> | ||||
|                 <p>Past Contributors | ||||
|                 <ul> | ||||
|                     <li>David Anderson (Developer/Design)</li> | ||||
|                     <li>Christopher Blum (Lessons)</li> | ||||
|                     <li>Laurence Casey (Graphics)</li> | ||||
|                     <li>Brian Ciomei (Bug fixes)</li> | ||||
|                     <li>Rogan Dawes (Lessons)</li> | ||||
|                     <li>Erwin Geirnaert (Solutions)</li> | ||||
|                     <li>Aung Knant (Documentation)</li> | ||||
|                     <li>Ryan Knell (Lessons)</li> | ||||
|                     <li>Christine Koppeit (Build)</li> | ||||
|                     <li>Sherif Kousa (Lessons/Documentation)</li> | ||||
|                     <li>Reto Lippuner (Lessons)</li> | ||||
|                     <li>PartNet (Lessons)</li> | ||||
|                     <li>Yiannis Pavlosoglou (Lessons)</li> | ||||
|                     <li>Eric Sheridan (Lessons)</li> | ||||
|                     <li>Alex Smolen (Lessons)</li> | ||||
|                     <li>Chuck Willis (Lessons)</li> | ||||
|                     <li>Marcel Wirth (Lessons)</li> | ||||
|                 </ul> | ||||
|                 </p> | ||||
|                 <p>Did we miss you? Our sincere apologies, as we know there have | ||||
|                     been many contributors over the years. If your name does not | ||||
|                     appear in any of the lists above, please send us a note. We'll | ||||
|                     get you added with no further sacrifices required.</p> | ||||
|             </div> | ||||
|         </div> | ||||
|     </div> | ||||
|     <div class="modal-footer"> | ||||
|         <button type="button" class="btn btn-default" data-dismiss="modal">Close</button> | ||||
|     </div> | ||||
| </div> | ||||
| </div> | ||||
| <div align="center" class="style2"> </div> | ||||
| <div align="center" class="style2"> </div> | ||||
| <div align="center" class="style2"> </div> | ||||
| <div id="warning_ch">WARNING<br /> | ||||
| While running this program, your machine is extremely vulnerable to | ||||
| attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. | ||||
| <br /> | ||||
| <br /> | ||||
| This program is for educational purposes only. Use of these techniques | ||||
| without permission could lead to job termination, financial liability, | ||||
| and/or criminal penalties.</div> | ||||
| </div> | ||||
| </body> | ||||
| </html> | ||||
|  | ||||
		Reference in New Issue
	
	Block a user