* Hints added

* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@301 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lesson_plans/HowToWork.html

@@ -0,0 +1,31 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> How to Work with WebGoat </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+Welcome to a short introduction of WebGoat.<br> 
+Here you will learn how to use WebGoat and additional tools for the lessons.<br><br>
+<b>The interface of WebGoat</b><br><br>
+<img src="/WebGoat/images/introduction/interface.jpg"><br><br>
+1. Here you see all Categories of Lessons in WebGoat. Click on the Categories to see all Lessons in it.<br>
+2. This link will give you the technical background to solve the lesson.<br>
+3. Do you need some help to find the solution? Here you will find useful hints.<br>
+4. Here you will find a complete solution of the selected lesson.<br>
+5. If you want to restart a lesson you can use this link.<br><br><br>
+<b>Solve the Lesson</b><br><br>
+Always read first the lessons plan. Then try to solve the lesson and if necessary, use the hints. If you cannot solve the lesson using the hints, you may watch the solution. Here every step is explained.<br><br><br>
+<b>Read and edit Parameters</b><br><br>
+To read and edit Parameters you need a proxy to intercept the HTTP request. Here we use WebScarab. More informations to WebScarab you will get in the Chapter "Useful Tools".
+After installing WebScarab and making a proxy on localhost we can start.<br><br>
+<img src="/WebGoat/images/introduction/HowToUse_1.jpg"><br><br>
+We have to select "intercept request" in the tab "Intercept". If we send a new HTTP request now, we get a new WebScarab window.<br><br>
+<img src="/WebGoat/images/introduction/HowToUse_2.jpg"><br><br>
+Here we can read and edit the sent parameter. After "Accept changes" the request will be sent to the server.
+<br><br><br>
+<b>Read and edit Cookies</b><br><br>
+Often it is not only necessary to change the value of parameters but to change the value of cookies. We use again WebScarab and intercept the request as explained in the last topic.<br><br>
+<img src="/WebGoat/images/introduction/HowToUse_3.jpg"><br><br>
+We again get the new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them.
+<br><br><br>
+<!-- Stop Instructions -->

main/project/WebContent/lesson_plans/HtmlClues.html

@@ -4,7 +4,7 @@
  
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
- Developers are notorious for leaving statements like FIXME's, Code Broken, Hack, etc... inside the source code. &nbsp;Review the source code for any comments denoting&nbsp; passwords, backdoors, or something doesn't work right.&nbsp;
+ Developers are notorious for leaving statements like TODO's, Code Broken, Hack, etc... inside the source code. &nbsp;Review the source code for any comments denoting&nbsp; passwords, backdoors, or something doesn't work right.&nbsp;
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>

main/project/WebContent/lesson_plans/HttpBasics.html

@@ -23,5 +23,5 @@ After sending the request and headers, the client may send additional data. This
 Enter your name in the input field below and press "go" to submit. The server will accept the request, reverse the input, and display it back to the user, illustrating the basics of handling an HTTP request.
 <br/><br/>
 The user should become familiar with the features of WebGoat by manipulating the above 
-buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code.
+buttons to view hints and solution. You have to use WebScarab for the first time.
 <!-- Stop Instructions -->

main/project/WebContent/lesson_plans/MultiLevelLogin1.html

@@ -0,0 +1,20 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> Multi Level Login 1</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+A Multi Level Login should provide a strong authentication. 
+This is archived by adding a second layer. After having 
+logged in with your user name and password you are asked
+for a 'Transaction Authentication Number' (TAN). This is 
+often used by online banking. You get a list with a lots 
+of TANs generated only for you by the bank. Each TAN is used only once. 
+Another method is to provide the TAN by SMS. This has
+the advantage that an attacker can not get TANs provided
+by the user.
+<p><b>General Goal(s):</b> </p>
+In this Lesson you try to get around the strong authentication. 
+You have to break into another account. The user name, password and a 
+already used TAN is provided. You have to make sure
+the server accept the TAN even it is already used.
+<!-- Stop Instructions -->

main/project/WebContent/lesson_plans/MultiLevelLogin2.html

@@ -0,0 +1,20 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> Multi Level Login 2</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+A Multi Level Login should provide a strong authentication. 
+This is archived by adding a second layer. After having 
+logged in with your user name and password you are asked
+for a 'Transaction Authentication Number' (TAN). This is 
+often used by online banking. You get a list with a lots 
+of TANs generated only for you by the bank. Each TAN is used only once. 
+Another method is to provide the TAN by SMS. This has
+the advantage that an attacker can not get TANs provided
+by the user.
+<p><b>General Goal(s):</b> </p>
+In this lesson you have to try to break into another account. 
+You have an own account for WebGoat Financial but you want to
+log into another account only knowing the user name of the victim
+to attack.
+<!-- Stop Instructions -->

main/project/WebContent/lesson_plans/PasswordStrength.html

@@ -0,0 +1,10 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> Password Strength</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+Accounts are only as secure as there passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+<!-- Stop Instructions -->
+<br>
+<p><b>General Goal(s):</b> </p>
+ For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>

main/project/WebContent/lesson_plans/Phishing.html

@@ -0,0 +1,16 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> Phishing with XSS </p>
+ </div>
+ <p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+It is always a good practice to validate all input on the server side.
+ XSS can occur when unvalidated user input is used in an HTTP response. 
+ With the help of XSS you can do a Phishing Attack and add content to a page
+ which looks official. It is very hard for a victim to determinate
+ that the content is malicious.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+The user should be able to add a form asking for username
+and password. On submit the input should be sent
+to http://localhost/WebGoat/catcher?PROPERTY=yes &user=catchedUserName&password=catchedPasswordName
+

main/project/WebContent/lesson_plans/ReflectedXSS.html

@@ -3,7 +3,11 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it. 
+It is always a good practice to validate all input on the server side.
+ XSS can occur when unvalidated user input is used in an HTTP response. 
+ In a reflected XSS attack, an attacker can craft a URL with the attack 
+ script and post it to another website, email it, or otherwise get a 
+ victim to click on it. 
 <!-- Stop Instructions -->
 <p><b>General Goal(s):</b> </p>
 For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.

main/project/WebContent/lesson_plans/SQLInjection.html

@@ -0,0 +1,14 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> How to Perform a SQL Injection </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack. 
+<br><br>
+Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
+<br>
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries, even if the threat of SQL injection has been prevented in some other manner.<br>
+<p><b>General Goal(s):</b> </p>
+For this exercise, you will perform SQLInjection attacks. You will also implement code changes in the web application to defeat these attacks. 
+<!-- Stop Instructions -->

main/project/WebContent/lesson_plans/UsefulTools.html

@@ -0,0 +1,28 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> Useful Toolst </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+Here we want to present you some useful tools. You will need WebScarab to solve most of the lessons. <br><br> 
+<b>WebScarab:</b><br><br>
+As WebGoat, WebScarab is a part of OWASP. WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. Because WebScarab operates as an intercepting proxy, we can review and modify requests and responses.<br><br>
+<img src="/WebGoat/images/introduction/webscarab.jpg"><br><br>
+Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
+<br><br>
+<b>Firebug:</b><br><br>
+Firebug is an add-on for the Firefox browser. We can use it to inspect, edit and monitor CSS, HTML and JavaScript.<br><br>
+<img src="/WebGoat/images/introduction/firebug.jpg"><br><br>
+Webpage:<a href="http://www.getfirebug.com" target="_blank">http://www.getfirebug.com</a>
+<br><br>
+<b>IEWatch:</b><br><br>
+IEWatch is a tool to analyse HTTP and HTML for users of the Internet Explorer.<br><br>
+<img src="/WebGoat/images/introduction/iewatch.jpg"><br><br>
+Webpage:<a href="http://www.iewatch.com" target="_blank">http://www.iewatch.com</a>
+<br><br>
+<b>Scanner:</b><br><br>
+There exist a lot of vulnerability scanner for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Here the links to two open source scanner. <br><br>
+Nessus:<a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a><br>
+Paros:<a href="http://www.parosproxy.org" target="_blank">http://www.parosproxy.org</a><br>
+<!-- Stop Instructions -->
+<br>