dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace the "Stage n" text in the instructions

Browse Source 
Since we now use a link in the menu to choose a stage, rather than the
drop down, we need the Stage number to be visible


git-svn-id: http://webgoat.googlecode.com/svn/trunk@231 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2008-01-10 10:10:29 +00:00
parent 8b21a7785e
commit 531991f26d
3 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
View File

@ -155,37 +155,37 @@ public class CrossSiteScripting extends GoatHillsFinancial
String stage = getStage(s);
if (STAGE1.equals(stage))
{
instructions = "Execute a Stored Cross Site Scripting (XSS) attack.<br>"
instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page. "
+ "Verify that 'Jerry' is affected by the attack.";
}
else if (STAGE2.equals(stage))
{
instructions = "Block Stored XSS using Input Validation.<br>"
instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
+ "Implement a fix to block the stored XSS before it can be written to the database. "
+ "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
}
else if (STAGE3.equals(stage))
{
instructions = "Execute a previously Stored Cross Site Scripting (XSS) attack.<br>"
instructions = "Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.<br>"
+ "The 'Bruce' employee profile is pre-loaded with a stored XSS attack. "
+ "Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
}
else if (STAGE4.equals(stage))
{
instructions = "Block Stored XSS using Output Encoding.<br>"
instructions = "Stage 4: Block Stored XSS using Output Encoding.<br>"
+ "Implement a fix to block XSS after it is read from the database. "
+ "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
}
else if (STAGE5.equals(stage))
{
instructions = "Execute a Reflected XSS attack.<br>"
instructions = "Stage 5: Execute a Reflected XSS attack.<br>"
+ "Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack. "
+ "Verify that another employee using the link is affected by the attack.";
}
else if (STAGE6.equals(stage))
{
instructions = "Block Reflected XSS using Input Validation.<br>"
instructions = "Stage 6: Block Reflected XSS using Input Validation.<br>"
+ "Implement a fix to block this reflected XSS attack. "
+ "Repeat step 5. Verify that the attack URL is no longer effective.";
}

8
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
View File

@ -142,24 +142,24 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
String stage = getStage(s);
if (STAGE1.equals(stage))
{
instructions = "Bypass Presentational Layer Access Control.<br>"
instructions = "Stage 1: Bypass Presentational Layer Access Control.<br>"
+ "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. "
+ "Verify that Tom's profile can be deleted.";
}
else if (STAGE2.equals(stage))
{
instructions = "Add Business Layer Access Control.<br>"
instructions = "Stage 2: Add Business Layer Access Control.<br>"
+ "Implement a fix to deny unauthorized access to the Delete function. "
+ "Repeat stage 1. Verify that access to Delete is properly denied.";
}
else if (STAGE3.equals(stage))
{
instructions = "Breaking Data Layer Access Control.<br>"
instructions = "Stage 3: Breaking Data Layer Access Control.<br>"
+ "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
}
else if (STAGE4.equals(stage))
{
instructions = "Add Data Layer Access Control.<br>"
instructions = "Stage 4: Add Data Layer Access Control.<br>"
+ "Implement a fix to deny unauthorized access to this data. "
+ "Repeat stage 3. Verify that access to other employee's profiles is properly denied.";
}

8
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
View File

@ -150,25 +150,25 @@ public class SQLInjection extends GoatHillsFinancial
String stage = getStage(s);
if (STAGE1.equals(stage))
{
instructions = "Use String SQL Injection to bypass authentication. "
instructions = "Stage 1: Use String SQL Injection to bypass authentication. "
+ "Use SQL injection to log in as the boss ('Neville') without using the correct password. "
+ "Verify that Neville's profile can be viewed and that all functions are available (including Search, Create, and Delete).";
}
else if (STAGE2.equals(stage))
{
instructions = "Block SQL Injection using a Parameterized Query.<br>"
instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br>"
+ "Implement a fix to block SQL injection into the fields in question on the Login page. "
+ "Repeat stage 1. Verify that the attack is no longer effective.";
}
else if (STAGE3.equals(stage))
{
instructions = "Execute SQL Injection to bypass authorization.<br>"
instructions = "Stage 3: Execute SQL Injection to bypass authorization.<br>"
+ "As regular employee 'Larry', use SQL injection into a parameter of the View function "
+ "(from the List Staff page) to view the profile of the boss ('Neville').";
}
else if (STAGE4.equals(stage))
{
instructions = "Block SQL Injection using a Parameterized Query.<br>"
instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br>"
+ "Implement a fix to block SQL injection into the relevant parameter. "
+ "Repeat stage 3. Verify that access to Neville's profile is properly blocked.";
}