diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
index 6a8e10f58..c848a8b91 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
@@ -155,37 +155,37 @@ public class CrossSiteScripting extends GoatHillsFinancial
String stage = getStage(s);
if (STAGE1.equals(stage))
{
- instructions = "Execute a Stored Cross Site Scripting (XSS) attack.
"
+ instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.
"
+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page. "
+ "Verify that 'Jerry' is affected by the attack.";
}
else if (STAGE2.equals(stage))
{
- instructions = "Block Stored XSS using Input Validation.
"
+ instructions = "Stage 2: Block Stored XSS using Input Validation.
"
+ "Implement a fix to block the stored XSS before it can be written to the database. "
+ "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
}
else if (STAGE3.equals(stage))
{
- instructions = "Execute a previously Stored Cross Site Scripting (XSS) attack.
"
+ instructions = "Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.
"
+ "The 'Bruce' employee profile is pre-loaded with a stored XSS attack. "
+ "Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
}
else if (STAGE4.equals(stage))
{
- instructions = "Block Stored XSS using Output Encoding.
"
+ instructions = "Stage 4: Block Stored XSS using Output Encoding.
"
+ "Implement a fix to block XSS after it is read from the database. "
+ "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
}
else if (STAGE5.equals(stage))
{
- instructions = "Execute a Reflected XSS attack.
"
+ instructions = "Stage 5: Execute a Reflected XSS attack.
"
+ "Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack. "
+ "Verify that another employee using the link is affected by the attack.";
}
else if (STAGE6.equals(stage))
{
- instructions = "Block Reflected XSS using Input Validation.
"
+ instructions = "Stage 6: Block Reflected XSS using Input Validation.
"
+ "Implement a fix to block this reflected XSS attack. "
+ "Repeat step 5. Verify that the attack URL is no longer effective.";
}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
index 089fb3359..ad3284814 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
@@ -142,24 +142,24 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
String stage = getStage(s);
if (STAGE1.equals(stage))
{
- instructions = "Bypass Presentational Layer Access Control.
"
+ instructions = "Stage 1: Bypass Presentational Layer Access Control.
"
+ "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. "
+ "Verify that Tom's profile can be deleted.";
}
else if (STAGE2.equals(stage))
{
- instructions = "Add Business Layer Access Control.
"
+ instructions = "Stage 2: Add Business Layer Access Control.
"
+ "Implement a fix to deny unauthorized access to the Delete function. "
+ "Repeat stage 1. Verify that access to Delete is properly denied.";
}
else if (STAGE3.equals(stage))
{
- instructions = "Breaking Data Layer Access Control.
"
+ instructions = "Stage 3: Breaking Data Layer Access Control.
"
+ "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
}
else if (STAGE4.equals(stage))
{
- instructions = "Add Data Layer Access Control.
"
+ instructions = "Stage 4: Add Data Layer Access Control.
"
+ "Implement a fix to deny unauthorized access to this data. "
+ "Repeat stage 3. Verify that access to other employee's profiles is properly denied.";
}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
index 2eefe6f13..7df7b9993 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
@@ -150,25 +150,25 @@ public class SQLInjection extends GoatHillsFinancial
String stage = getStage(s);
if (STAGE1.equals(stage))
{
- instructions = "Use String SQL Injection to bypass authentication. "
+ instructions = "Stage 1: Use String SQL Injection to bypass authentication. "
+ "Use SQL injection to log in as the boss ('Neville') without using the correct password. "
+ "Verify that Neville's profile can be viewed and that all functions are available (including Search, Create, and Delete).";
}
else if (STAGE2.equals(stage))
{
- instructions = "Block SQL Injection using a Parameterized Query.
"
+ instructions = "Stage 2: Block SQL Injection using a Parameterized Query.
"
+ "Implement a fix to block SQL injection into the fields in question on the Login page. "
+ "Repeat stage 1. Verify that the attack is no longer effective.";
}
else if (STAGE3.equals(stage))
{
- instructions = "Execute SQL Injection to bypass authorization.
"
+ instructions = "Stage 3: Execute SQL Injection to bypass authorization.
"
+ "As regular employee 'Larry', use SQL injection into a parameter of the View function "
+ "(from the List Staff page) to view the profile of the boss ('Neville').";
}
else if (STAGE4.equals(stage))
{
- instructions = "Block SQL Injection using a Parameterized Query.
"
+ instructions = "Stage 4: Block SQL Injection using a Parameterized Query.
"
+ "Implement a fix to block SQL injection into the relevant parameter. "
+ "Repeat stage 3. Verify that access to Neville's profile is properly blocked.";
}