dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WEB-126 Updated all introduction lessons

Browse Source
This commit is contained in:
Bruce Mayhew 2014-09-13 13:13:44 -04:00
parent 710e3ee1ee
commit 43fccdcaf7
7 changed files with 49 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/main/webapp/images/introduction/firebug.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

BIN
src/main/webapp/images/introduction/iewatch.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
src/main/webapp/images/introduction/interface.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
src/main/webapp/images/introduction/interface.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 324 KiB

BIN
src/main/webapp/images/introduction/webscarab.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

66
src/main/webapp/lesson_plans/English/HowToWork.html
View File

@ -1,29 +1,23 @@
<!-- Start Instructions --> <!-- Start Instructions -->
<h1>How To Work With WebGoat</h1> <h1>How To Work With WebGoat</h1>
<p> <p>
Welcome to a short introduction to WebGoat.<br> Welcome to a brief overview of WebGoat.<br>
Here you will learn how to use WebGoat and additional tools for the lessons.<br><br>
</p> </p>
<h2>Environment Information</h2> <h2>Environment Information</h2>
<p> <p>
WebGoat uses the Apache Tomcat server. It is configured to run on localhost although this can be WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on
easily changed. This localhost although this can be easily changed. </p>
configuration is for single user, additional users can be added in the tomcat-users.xml file.
If you want to use WebGoat in a laboratory or in
class you might need to change this setup. Please refer to the Tomcat Configuration
in the Introduction section.</p>
<h2>The WebGoat Interface</h2> <h2>The WebGoat Interface</h2>
<p> <p>
<img src="images/introduction/interface.jpg"><br><br> <img src="images/introduction/interface.png"><br><br>
1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.<br> 1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.<br>
2. This will show technical hints to solve the lesson.<br> 2. This will show the underlying Java source code.<br>
3. This will show the HTTP Request Parameters<br> 3. This will show the complete solution of the selected lesson.<br>
4. This will show the HTTP Request Cookies<br> 4. This will show goals and objectives of the lesson.<br>
5. This will show goals and objectives of the lesson.<br> 5. This will show technical hints to solve the lesson.<br>
6. This will show the underlying Java source code.<br> 6. This will show the HTTP request data<br>
7. This will show the complete solution of the selected lesson.<br> 7. If you want to restart a lesson you can use this link.</p>
8. If you want to restart a lesson you can use this link.</p>
<h2>Solve The Lesson</h2> <h2>Solve The Lesson</h2>
<p> <p>
Always start with the lessons plan. Then try to solve the lesson and if necessary, Always start with the lessons plan. Then try to solve the lesson and if necessary,
@ -32,12 +26,48 @@ solution for complete details.</p>
<h2>Read And Edit Parameters</h2> <h2>Read And Edit Parameters</h2>
<p> <p>
To read and edit Parameters you need a local proxy to intercept the HTTP request. To read and edit Parameters you need a local proxy to intercept the HTTP request.
Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter. Here we use OWASP ZAP. More information on ZAP can be found in the "Useful Tools" Chapter.
</p> </p>
<h2>Read And Edit Cookies</h2> <h2>Read And Edit Cookies</h2>
<p> <p>
Often it is not only necessary to change the value of the parameters but to change the value of cookies. Often it is not only necessary to change the value of the parameters but to change the value of cookies.
WebScarab has functionality for this as well. OWASP ZAP has functionality for this as well.
</p> </p>
<h2>Configuring new WebGoat users</h2>
<p>
WebGoat uses spring-security.xml to configure users.
<br/>
<pre>
&lt;!-- Authentication Manager --&gt;
&lt;authentication-manager alias="authenticationManager"&gt;
&lt;authentication-provider&gt;
&lt;user-service&gt;
&lt;user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /&gt;
&lt;user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /&gt;
&lt;user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /&gt;
&lt;/user-service&gt;
&lt;/authentication-provider&gt;
&lt;/authentication-manager&gt;
</pre>
</p>
<h2>Adding Users</h2>
<p>
Usually using WebGoat you just use the user guest with the password guest.
But maybe in laboratory you have made a setup with one server and a lot of
clients. In this case you might want to have a user for every client
and you have to alter /WEB-INF/spring-security.xml as the users are stored there. <b>We recommend not to use real passwords
as the passwords are stored in plain text in this file!</b>
</p>
<h3>Add User</h3>
<p>
Adding a user is straight forward. You can use the guest entry as an example. The added
users should have the same role as the guest user. The new user/password will not show on the login page.
Add lines like this to the file:
</p>
<pre>
&lt;user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /&gt;
...
</pre>
<!-- Stop Instructions --> <!-- Stop Instructions -->

37
src/main/webapp/lesson_plans/English/TomcatSetup.html
View File

@ -78,41 +78,6 @@ only discussed the whitebox approach. You have to add following lines to the Hos
</pre> </pre>
<p>In this case only localhost, ip1 and ip2 are permitted to connect.</p> <p>In this case only localhost, ip1 and ip2 are permitted to connect.</p>
<h2>Configuring new WebGoat users</h2>
<p>
WebGoat uses spring-security.xml to configure users.
<br/>
<pre>
&lt;!-- Authentication Manager --&gt;
&lt;authentication-manager alias="authenticationManager"&gt;
&lt;authentication-provider&gt;
&lt;user-service&gt;
&lt;!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --&gt;
&lt;user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /&gt;
&lt;user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /&gt;
&lt;user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /&gt;
&lt;/user-service&gt;
&lt;/authentication-provider&gt;
&lt;/authentication-manager&gt;
</pre>
</p>
<h2>Adding Users</h2>
<p>
Usually using WebGoat you just use the user guest with the password guest.
But maybe in laboratory you have made a setup with one server and a lot of
clients. In this case you might want to have a user for every client
and you have to alter /WEB-INF/spring-security.xml as the users are stored there. <b>We recommend not to use real passwords
as the passwords are stored in plain text in this file!</b>
</p>
<h3>Add User</h3>
<p>
Adding a user is straight forward. You can use the guest entry as an example. The added
users should have the same role as the guest user. The new user/password will not show on the login page.
Add lines like this to the file:
</p>
<pre>
&lt;user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /&gt;
...
</pre>
<!-- Stop Instructions --> <!-- Stop Instructions -->