* Hints added

* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@301 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lesson_solutions/ClientSideValidation.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Insecure Client Storage</title>
+<link rel="stylesheet" type="text/css"
+	href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Insecure Client Storage</p>
+
+<p><b>Concept / Topic To Teach:</b><br />
+It is always a good practice to validate all input
+ on the server side. Leaving the mechanism for validation 
+ on the client side leaves it vulnerable to reverse engineering. 
+ Remember, anything on the client side should not be considered a secret.</p>
+
+
+
+<p><b>General Goal(s):</b><br />
+For this exercise, your mission is to discover a coupon 
+code to receive an unintended discount. Then, exploit the use 
+of client side validation to submit an order with a cost of zero. </p>
+
+<p><b>Solution:</b><br />
+For the solution you need a plugin for your browser, which is capable of debugging
+Javascript. For IE you can use IEWatch. This solution is written for Firebug
+which is a plugin for Firefox.
+</p>
+
+<h2>Stage 1</h2>
+<p>
+First we want to try to get a coupon code to get something cheaper. Open 
+Firebug and click on the Script Tab. Make sure you choose clientSideValidation.js
+on the dropdown list. Toggle a breakpoint on the line:<br/>
+<code>decrypted = decrypt(coupons[i]);</code></p>
+Now enter a character in the coupon code field. The Javascript gets executed
+but stops at the breakpoint. On the right side you see the parameters
+and there values. Now use the step over symbol or F10. Now you can read
+the clear text of decrypted:
+<center>
+<img src="/WebGoat/lesson_solutions/ClientSideValidation_files/ClientSideValidation_stage1.png" width=450px alt="Stage 1" />
+<b>Figure 1 Firebug in action</b>
+</center>
+<p>
+Now that you know the coupon name enter it in the coupon field, purchase something
+and you are done.
+</p>
+
+<h2>Stage 2</h2>
+<p>
+You can not edit the Prices in the Shopping Cart. The reason is that the readonly 
+attribute is set for this field. 
+</p>
+<p>To get rid of this attribute open Firebug. Make sure this time you use
+the HTML View. You can directly in 
+Firebug search for readonly and elemenate this attribute.The field for the total is
+called GRANDTOT. After having deleted the readonly attribute from GRANDTOT
+it is possible to change the price directly in the browser. Select any products
+you like, change the total field to 0 and hit the purchase button.</p>
+
+</body>
+</html>