minor bug fixes and enhancements, including proper dollar value formatting

git-svn-id: http://webgoat.googlecode.com/svn/trunk@364 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java

@@ -26,6 +26,7 @@ import org.apache.ecs.html.BR;
 import org.apache.ecs.html.Center;
 import org.apache.ecs.html.H1;
 import org.apache.ecs.html.HR;
+import org.apache.ecs.html.IFrame;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.P;
 import org.apache.ecs.html.TD;
@@ -383,18 +384,14 @@ public class Challenge2Screen extends SequentialLessonAdapter
 	{
 		ElementContainer ec = new ElementContainer();
 
-		// get current text and compare to the new text
-		String origpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
-		String defaced = getFileText(new BufferedReader(new FileReader(origpath)), false);
-		String origText = getFileText(new BufferedReader(new FileReader(s.getContext()
-				.getRealPath(WEBGOAT_CHALLENGE_JSP))), false);
-
 		// show webgoat.jsp text
 		ec.addElement(new H1().addElement("Original Website Text"));
-		ec.addElement(new P().addElement(origText));
+		ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc("/WebGoat/" + WEBGOAT_CHALLENGE_JSP));
 		ec.addElement(new HR());
 		ec.addElement(new H1().addElement("Defaced Website Text"));
-		ec.addElement(new P().addElement(defaced));
+		ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc(
+																			"/WebGoat/" + WEBGOAT_CHALLENGE + "_"
+																					+ s.getUserName() + JSP));
 		ec.addElement(new HR());
 
 		return ec;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java

@@ -92,6 +92,7 @@ public class HttpBasics extends LessonAdapter
 	{
 		List<String> hints = new ArrayList<String>();
 		hints.add("Type in your name and press 'go'");
+		hints.add("Turn on Show Parameters or other features");
 		hints.add("Try to intercept the request with WebScarab");
 		hints.add("Press the Show Lesson Plan button to view a lesson summary");
 		hints.add("Press the Show Solution button to view a lesson solution");

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java

@@ -1,6 +1,10 @@
 
 package org.owasp.webgoat.lessons;
 
+import java.sql.Connection;
+import java.sql.SQLException;
+import org.owasp.webgoat.session.CreateDB;
+import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.LessonTracker;
 import org.owasp.webgoat.session.RandomLessonTracker;
 import org.owasp.webgoat.session.WebSession;
@@ -14,6 +18,19 @@ public abstract class RandomLessonAdapter extends LessonAdapter
 	public void setStage(WebSession s, String stage)
 	{
 		getLessonTracker(s).setStage(stage);
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			CreateDB db = new CreateDB();
+			db.makeDB(connection);
+			System.out.println("Successfully refreshed the database.");
+
+		} catch (SQLException sqle)
+		{
+			System.out.println("Error refreshing the database!");
+			sqle.printStackTrace();
+		}
 	}
 
 	public String getStage(WebSession s)
@@ -31,8 +48,22 @@ public abstract class RandomLessonAdapter extends LessonAdapter
 		}
 		else
 		{
-			s.setMessage("You have completed " + stage + ".");
+			s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + ".");
-			if (!stage.equals(lt.getStage())) s.setMessage(" Welcome to " + lt.getStage());
+			if (!stage.equals(lt.getStage()))
+				s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage());
+		}
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			CreateDB db = new CreateDB();
+			db.makeDB(connection);
+			System.out.println("Successfully refreshed the database.");
+
+		} catch (SQLException sqle)
+		{
+			System.out.println("Error refreshing the database!");
+			sqle.printStackTrace();
 		}
 	}
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java

@@ -1,6 +1,7 @@
 
 package org.owasp.webgoat.lessons;
 
+import java.text.DecimalFormat;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
@@ -76,6 +77,8 @@ public class ReflectedXSS extends LessonAdapter
 			float total = 0.0f;
 			float runningTotal = 0.0f;
 
+			DecimalFormat money = new DecimalFormat("$0.00");
+
 			// test input field1
 			if (!pattern1.matcher(param1).matches())
 			{
@@ -110,36 +113,36 @@ public class ReflectedXSS extends LessonAdapter
 			tr.addElement(new TD().addElement("69.99").setAlign("right"));
 			tr.addElement(new TD().addElement(
 												new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
-																												"1")))
+																												"1"))
-					.setAlign("right"));
+														.setSize(6)).setAlign("right"));
 			quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
 			total = quantity * 69.99f;
 			runningTotal += total;
-			tr.addElement(new TD().addElement("$" + total));
+			tr.addElement(new TD().addElement(money.format(total)));
 			t.addElement(tr);
 			tr = new TR();
 			tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
 			tr.addElement(new TD().addElement("27.99").setAlign("right"));
 			tr.addElement(new TD().addElement(
 												new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
-																												"1")))
+																												"1"))
-					.setAlign("right"));
+														.setSize(6)).setAlign("right"));
 			quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
 			total = quantity * 27.99f;
 			runningTotal += total;
-			tr.addElement(new TD().addElement("$" + total));
+			tr.addElement(new TD().addElement(money.format(total)));
 			t.addElement(tr);
 			tr = new TR();
 			tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino"));
 			tr.addElement(new TD().addElement("1599.99").setAlign("right"));
 			tr.addElement(new TD().addElement(
 												new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
-																												"1")))
+																												"1"))
-					.setAlign("right"));
+														.setSize(6)).setAlign("right"));
 			quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
 			total = quantity * 1599.99f;
 			runningTotal += total;
-			tr.addElement(new TD().addElement("$" + total));
+			tr.addElement(new TD().addElement(money.format(total)));
 			t.addElement(tr);
 			tr = new TR();
 			tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
@@ -147,12 +150,12 @@ public class ReflectedXSS extends LessonAdapter
 
 			tr.addElement(new TD().addElement(
 												new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
-																												"1")))
+																												"1"))
-					.setAlign("right"));
+														.setSize(6)).setAlign("right"));
 			quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
 			total = quantity * 299.99f;
 			runningTotal += total;
-			tr.addElement(new TD().addElement("$" + total));
+			tr.addElement(new TD().addElement(money.format(total)));
 			t.addElement(tr);
 
 			ec.addElement(t);
@@ -168,7 +171,7 @@ public class ReflectedXSS extends LessonAdapter
 
 			tr = new TR();
 			tr.addElement(new TD().addElement("The total charged to your credit card:"));
-			tr.addElement(new TD().addElement("$" + runningTotal));
+			tr.addElement(new TD().addElement(money.format(runningTotal)));
 			tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
 			t.addElement(tr);
 			tr = new TR();

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java

@@ -7,11 +7,6 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Body;
-import org.apache.ecs.html.Head;
-import org.apache.ecs.html.Html;
-import org.apache.ecs.html.Title;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
@@ -100,23 +95,24 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 	 */
 	protected List<String> getHints(WebSession s)
 	{
-		String stage = getStage(s);
 		List<String> hints = new ArrayList<String>();
 		hints.add("Many sites attempt to restrict access to resources by role.");
 		hints.add("Developers frequently make mistakes implementing this scheme.");
 		hints.add("Attempt combinations of users, roles, and resources.");
 
 		// Stage 1
-
 		hints.add("Stage1: How does the application know that the user selected the delete function?");
 
-		hints.add("Stage2: You have to code to check the authorization of the user for the action.");
 		// Stage 2
+		hints.add("Stage2: You have to code to check the authorization of the user for the action.");
+
 
 		// Stage 3
 		hints.add("Stage3: How does the application know that the user selected any particular employee to view?");
 
 		// Stage 4
+		hints.add("Note that the contents of the staff listing change depending on who is logged in.");
+
 		hints
 				.add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
 
@@ -147,7 +143,7 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 				instructions = "Stage 1: Bypass Presentational Layer Access Control.<br>"
 						+ "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page.  "
 						+ "Verify that Tom's profile can be deleted."
-						+ "The password for a user is always his prename.";
+						+ "The password for a user is always their first name.";
 			}
 			else if (STAGE2.equals(stage))
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java

@@ -245,7 +245,7 @@ public class SessionFixation extends SequentialLessonAdapter
 				+ "During the last week we had a few problems with our database. "
 				+ "We have received many complaints regarding incorrect account details. "
 				+ "Please use the following link to verify your account "
-				+ "data:<br><br><center><a href=http://localhost/WebGoat/"
+				+ "data:<br><br><center><a href=/WebGoat/"
 				+ link
 				+ "> Goat Hills Financial</a></center><br><br>"
 				+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java

@@ -300,8 +300,8 @@ public class SoapRequest extends SequentialLessonAdapter
 			{
 				getLessonTracker(s).setStage(3);
 				s.setMessage("Stage 2 completed. ");
-				// s.setMessage("Now, you'll craft a SOAP envelope for invoking a web service
+				// s.setMessage(
-				// directly.");
+				// "Now, you'll craft a SOAP envelope for invoking a web service directly.");
 
 				// Redirect user to Stage2 content.
 				ec.addElement(doStage3(s));
@@ -347,7 +347,7 @@ public class SoapRequest extends SequentialLessonAdapter
 		// before completing the lesson.
 		if ((accessFirstName + accessLastName + accessCreditCard + accessLoginCount) >= 2)
 		{
-			/** Reset function access counters * */
+			/** Reset function access counters **/
 			accessFirstName = accessLastName = accessCreditCard = accessLoginCount = 0;
 			// SoapRequest.completed = true;
 			makeSuccess(s);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java

@@ -316,7 +316,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 				+ "\"SELECT * FROM weather_data WHERE station = \" + station ");
 		hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
 				+ "Try appending a SQL statement that always resolves to true.");
-		hints.add("Try to intercept the post request with WebScarab and replace the station " + "with 101 OR 1 = 1");
+		hints.add("Try to intercept the post request with WebScarab and replace the station " + "with [ 101 OR 1 = 1 ].");
 
 		return hints;
 	}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java

@@ -131,8 +131,8 @@ public class UncheckedEmail extends LessonAdapter
 				s.setMessage("The attack worked! Now try to attack another person than the admin.");
 			}
 
-			// only complete the lesson if they changed the "to" hidden field and they sen a
+			// only complete the lesson if they changed the "to" hidden field and they send a
-			// scripttag in the message
+			// script tag in the message
 			if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to) && message.contains("<script"))
 			{
 				makeSuccess(s);

webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java

@@ -319,7 +319,7 @@ public class CreateDB
 	}
 
 	/**
-	 * Create users whith tans
+	 * Create users with tans
 	 * 
 	 * @param connection
 	 * @throws SQLException
@@ -826,6 +826,63 @@ public class CreateDB
 	//
 	// --------------------------------------------------------------------------
 
+	/**
+	 * Start creation of data for WebServices labs
+	 */
+
+	private void createTransactionTable(Connection connection) throws SQLException
+	{
+		Statement statement = connection.createStatement();
+
+		try
+		{
+			String dropTable = "DROP TABLE transactions";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Warning: unable to drop Transactions");
+		}
+
+		try
+		{
+			String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, "
+					+ "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, "
+					+ "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, "
+					+ "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")";
+
+			statement.executeUpdate(createTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to create Transactions: " + e.getLocalizedMessage());
+			throw e;
+		}
+
+		String[] data = new String[] {
+				"'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'",
+				"'dave', 1, '238-4723-4024', '324-7635-9867', '2008-02-12 21:41:00', 'Car', '150'",
+				"'dave', 2, '238-4723-4024', '324-7635-9867', '2008-02-20 21:42:00', 'School fees', '150'",
+				"'CEO', 3, '348-6324-9872', '345-3490-8345', '2008-02-15 21:40:00', 'Rolls Royce', '-150000'",
+				"'CEO', 4, '348-6324-9872', '342-5893-4503', '2008-02-25 21:41:00', 'Mansion', '-150000'",
+				"'CEO', 5, '348-6324-9872', '980-2344-5492', '2008-02-27 21:42:00', 'Vacation', '-150000'",
+				"'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'",
+				"'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'",
+				"'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'", };
+		try
+		{
+			for (int i = 0; i < data.length; i++)
+			{
+				statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");");
+			}
+		} catch (SQLException sqle)
+		{
+			System.out.println("Error: Unable to insert data: " + sqle);
+			int errorCode = sqle.getErrorCode();
+			System.out.println("Error Code: " + errorCode);
+			// ignore exceptions for Oracle and SQL Server
+			if (errorCode != 911 && errorCode != 273) { throw sqle; }
+		}
+	}
+
 	/**
 	 * Description of the Method
 	 * 
@@ -848,6 +905,7 @@ public class CreateDB
 		createAuthTable(connection);
 		createOwnershipTable(connection);
 		createWeatherDataTable(connection);
+		createTransactionTable(connection);
 		createTanUserDataTable(connection);
 		createTanTable(connection);
 		System.out.println("Success: creating tables.");

webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java

@@ -162,13 +162,13 @@ public class LessonTracker
 	protected void setProperties(Properties props, Screen screen)
 	{
 		completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
-		maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel"));
+		maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel", "0"));
-		numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits"));
+		numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits", "0"));
-		viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies")).booleanValue();
+		viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies", "false")).booleanValue();
-		viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml")).booleanValue();
+		viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml", "false")).booleanValue();
-		viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan")).booleanValue();
+		viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan", "false")).booleanValue();
-		viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters")).booleanValue();
+		viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters", "false")).booleanValue();
-		viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource")).booleanValue();
+		viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource", "false")).booleanValue();
 	}
 
 	public static String getUserDir(WebSession s)

webgoat/main/project/WebContent/WEB-INF/webgoat_sqlserver.sql

@@ -215,7 +215,7 @@ IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
 	DROP ASSEMBLY RegexMatch;
 GO
 
-CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\project\WebContent\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
+CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
 GO
 
 CREATE FUNCTION webgoat_guest.RegexMatch (

webgoat/main/project/WebContent/lesson_plans/HttpBasics.html

@@ -23,5 +23,5 @@ After sending the request and headers, the client may send additional data. This
 Enter your name in the input field below and press "go" to submit. The server will accept the request, reverse the input, and display it back to the user, illustrating the basics of handling an HTTP request.
 <br/><br/>
 The user should become familiar with the features of WebGoat by manipulating the above 
-buttons to view hints and solution. You have to use WebScarab for the first time.
+buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using WebScarab for the first time.
 <!-- Stop Instructions -->

webgoat/main/project/WebContent/lesson_plans/PasswordStrength.html

@@ -3,7 +3,7 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as there passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>

webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html

@@ -620,7 +620,7 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The
-application is taking the input from the select box and inserts it at the end of a pre-formed
+application is taking the input from the select box and inserting it at the end of a pre-formed
 SQL command.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Compound SQL

webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp

@@ -2,9 +2,9 @@
 	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" 
 	errorPage="" %>
 <%
-	Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY);
 	WebSession webSession = ((WebSession)session.getAttribute("websession"));
-//	int myUserId = getIntSessionAttribute(webSession, "RoleBasedAccessControl." + RoleBasedAccessControl.USER_ID);
+	Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY);
+	//int myUserId = webSession.getUserIdInLesson();
 %>
 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - View Profile Page</div>
 		<div class="lesson_text">
@@ -13,71 +13,71 @@
 						First Name:
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getFirstName()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getFirstName())%></span>
 					</TD>
 					<TD>				
 						Last Name:
 					</TD>
 					<TD>
-					 	<span class="lesson_text_db"><%=employee.getLastName()%></span>
+					 	<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getLastName())%></span>
 					</TD>
 				</TR>
 				<TR><TD>				
 						Street: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getAddress1()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getAddress1())%></span>
 					</TD>
 					<TD>				
 						City/State: 
 					<TD>
-						<span class="lesson_text_db"><%=employee.getAddress2()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getAddress2())%></span>
 					</TD>
 				</TR>
 				<TR><TD>
 						Phone: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getPhoneNumber()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getPhoneNumber())%></span>
 					</TD>
 					<TD>				
 						Start Date: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getStartDate()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getStartDate())%></span>
 					</TD>
 				</TR>
 				<TR><TD>
 			    		SSN: 
 			    	</TD>
 			    	<TD>
-			    		<span class="lesson_text_db"><%=employee.getSsn()%></span>
+			    		<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getSsn())%></span>
 					</TD>
 					<TD>				
 						Salary: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getSalary()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getSalary())%></span>
 					</TD>
 				</TR>
 				<TR><TD>
 						Credit Card: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getCcn()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getCcn())%></span>
 					</TD>
 					<TD>				
 						Credit Card Limit: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getCcnLimit()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getCcnLimit())%></span>
 					</TD>
 				</TR>
 				<TR><TD>
 						Comments: 
 					</TD>
 					<TD colspan="3">
-						<span class="lesson_text_db"><%=employee.getPersonalDescription()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getPersonalDescription())%></span>
 					</TD>
 				</TR>				
 				<TR>
@@ -88,11 +88,11 @@
 						Disc. Dates: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getDisciplinaryActionDate()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getDisciplinaryActionDate())%></span>
 					</TD>
 				<TR>
 					<TD colspan="4">
-						<span class="lesson_text_db"><%=employee.getDisciplinaryActionNotes()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getDisciplinaryActionNotes())%></span>
 					</TD>
 				</TR>
 				<TR>
@@ -100,7 +100,7 @@
 						Manager: 
 					</TD>
 					<TD>
-						<span class="lesson_text_db"><%=employee.getManager()%></span>
+						<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getManager())%></span>
 					</TD>	
 				</TR>
 				</Table>
@@ -114,7 +114,7 @@
 					 {
 					 %>
 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
-							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=(employee == null ? "unknown" : employee.getId())%>">
 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/>
 						</form>
 					 <%
@@ -126,7 +126,7 @@
 					 {
 					 %>
 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
-							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=(employee == null ? "unknown" : employee.getId())%>">
 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/>
 						</form>
 					<%
@@ -139,7 +139,7 @@
 					{
 					%>
 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
-							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=(employee == null ? "unknown" : employee.getId())%>">
 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/>
 						</form>
 					<%

webgoat/main/project/WebContent/main.jsp

@@ -98,6 +98,7 @@ StringBuffer buildList = new StringBuffer();
 	    		<% if (lesson instanceof RandomLessonAdapter) {
 					RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
 					String[] stages = rla.getStages();
+					if (stages != null)
 					for (int i=0; i<stages.length; i++) {
 	    		%>
 			    		<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a>
@@ -216,7 +217,17 @@ StringBuffer buildList = new StringBuffer();
 				<br/>
 				<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a>
 				</div>
-				<div id="lessonContent"><%=webSession.getInstructions()%></div>
+				<div id="lessonContent">
+		    		<% 
+		    		AbstractLesson lesson = webSession.getCurrentLesson();
+		    		if (lesson instanceof RandomLessonAdapter) {
+					RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
+	    		%>
+			    		<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1 %></div>
+				<% 
+					}
+				%>
+				<%=webSession.getInstructions()%></div>
 				<div id="message" class="info"><%=webSession.getMessage()%></div>
 	
 			<%