dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WEB-126 some additional grammer cleanup

Browse Source
This commit is contained in:
Bruce Mayhew 2014-09-17 11:06:27 -04:00
parent 0ab1d9a6f1
commit 624c2833bc
2 changed files with 32 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/main/webapp/lesson_plans/English/HowToWork.html
View File

@ -6,33 +6,28 @@ Welcome to a brief overview of WebGoat.<br>
<h2>Environment Information</h2>
<p>
WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on
localhost although this can be easily changed. </p>
localhost although this can be easily changed, see the ""Tomcat Configuration"" section in the Introduction. </p>
<h2>The WebGoat Interface</h2>
<p>
<img src="images/introduction/interface.png"><br><br>
1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.<br>
1. Lesson Categories in WebGoat. Click on a Category to see specific Lessons.<br>
2. This will show the underlying Java source code.<br>
3. This will show the complete solution of the selected lesson.<br>
4. This will show goals and objectives of the lesson.<br>
5. This will show technical hints to solve the lesson.<br>
6. This will show the HTTP request data<br>
6. This shows the HTTP request data<br>
7. If you want to restart a lesson you can use this link.</p>
<h2>Solve The Lesson</h2>
<p>
Always start with the lessons plan. Then try to solve the lesson and if necessary,
Always start with the lesson plan. Then try to solve the lesson and if necessary,
use the hints. The last hint is the solution text if applicable. If you cannot solve the lesson using the hints, you may view the
solution for complete details.</p>
<h2>Read And Edit Parameters</h2>
<p>
To read and edit Parameters you need a local proxy to intercept the HTTP request.
Here we use OWASP ZAP. More information on ZAP can be found in the "Useful Tools" Chapter.
</p>
<h2>Read And Edit Cookies</h2>
<p>
Often it is not only necessary to change the value of the parameters but to change the value of cookies.
OWASP ZAP has functionality for this as well.
<h2>Read And Edit Parameters/Cookies</h2>
<p>
To read and edit parameters and cookies you need a local proxy like OWASP ZAP to intercept the HTTP request.
More information on ZAP can be found in the "Useful Tools" section in the Introduction.
</p>
<h2>Configuring new WebGoat users</h2>
@ -54,17 +49,17 @@ WebGoat uses spring-security.xml to configure users.
</p>
<h2>Adding Users</h2>
<p>
Usually using WebGoat you just use the user guest with the password guest.
Usually WebGoat only requires logging in with the user:guest and password:guest.
But maybe in laboratory you have made a setup with one server and a lot of
clients. In this case you might want to have a user for every client
and you have to alter /WEB-INF/spring-security.xml as the users are stored there. <b>We recommend not to use real passwords
clients. In this case you might want to have a user for every client,
you will have to alter /WEB-INF/spring-security.xml to add additional users. <b>We recommend not to use real passwords
as the passwords are stored in plain text in this file!</b>
</p>
<h3>Add User</h3>
<h3>Adding a new User</h3>
<p>
Adding a user is straight forward. You can use the guest entry as an example. The added
users should have the same role as the guest user. The new user/password will not show on the login page.
Add lines like this to the file:
Add lines like this to the /WEB-INF/spring-security.xml file:
</p>
<pre>
&lt;user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /&gt;

39
src/main/webapp/lesson_plans/en/UsefulTools.html
View File

@ -2,29 +2,25 @@
<!-- Start Instructions -->
<h1>Useful Tools</h1>
<p>
Below is a list of tools we've found useful in solving the WebGoat lessons. You will need WebScarab or Paros to solve most of the lessons. </p>
<h2>WebScarab:</h2>
Below is a list of tools we've found useful in solving the WebGoat lessons. You will need a proxy like OWASP ZAP or Paros to solve most of the lessons. </p>
<h2>OWASP ZAP:</h2>
<p>
Like WebGoat, WebScarab is a part of OWASP.
WebScarab is a proxy for analyzing applications that
communicate using the HTTP and HTTPS protocols. Because WebScarab
operates as an intercepting proxy, we can review and modify requests
and responses.<br><br>
<img src="images/introduction/webscarab.jpg"><br><br>
Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
Like WebGoat, Zed Attack Proxy (ZAP) is a part of OWASP and is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually..<br><br>
<img src="images/introduction/UsefulTools-ZAP.png"><br><br>
Webpage: <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a>
<br>The .jar install file can be found at the <a href="http://code.google.com/p/zaproxy/wiki/Downloads?tm=2">OWASP ZAP Google Code Project</a></p>
<p>After installing ZAP and configuring your browser to use it as a proxy on localhost we can start. To intercept a request,
click the green arrow icon turning it red. If we browse a WebGoat page, ZAP will intercept the HTTP request.
Here we can read and edit the intercepted parameters and headers. After editing is complete press the play icon to submit the request to the server.<br>
<img src="images/introduction/UsefulTools-ZAP_1.png"><br><br>
</p>
<h2>Firebug:</h2>
<h2>Modern Browsers:</h2>
<p>
Firebug is an add-on for the Firefox browser. We can use it to inspect, edit and monitor CSS, HTML and JavaScript.<br><br>
<img src="images/introduction/firebug.jpg"><br><br>
Webpage:<a href="http://www.getfirebug.com" target="_blank">http://www.getfirebug.com</a>
Most modern browser have developer tools that will allow you to inspect and modify request data.
<br><br>
<h2>IEWatch:</h2>
<p>
IEWatch is a tool to analyze HTTP and HTML for users of the Internet Explorer.<br><br>
<img src="images/introduction/iewatch.jpg"><br><br>
Webpage:<a href="http://www.iewatch.com" target="_blank">http://www.iewatch.com</a>
</p>
<h2>Wireshark</h2>
<p>
Wireshark is a network protocol analyzer. You can sniff network traffic and gather useful
@ -34,11 +30,12 @@ Webpage:<a href="http://www.wireshark.org" target="_blank">http://www.wireshark.
</p>
<h2>Scanner:</h2>
<h2>Scanners (Attacking Proxies):</h2>
<p>
There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to two open source scanner. <br><br>
There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to three open source scanners. <br><br>
Nessus:<a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a><br>
Paros:<a href="http://www.parosproxy.org" target="_blank">http://www.parosproxy.org</a><br>
OWASP ZAP:<a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project" target="_blank">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a><br>
</p>
<!-- Stop Instructions -->
<br>