git-svn-id: http://webgoat.googlecode.com/svn/trunk@28 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java

@@ -307,6 +307,9 @@ public class HammerHead extends HttpServlet
 					
 					s.setHasHackableAdmin( screen.getRole() );
 					
+					//More bookkeeping here to see if the user was able to force browse to the
+					//config URL.
+					s.setHasHackableConfig( s.getRequest().getRequestURI());
 					lesson.handleRequest( s );
 					s.setCurrentMenu( lesson.getCategory().getRanking() );
 				}
@@ -346,7 +349,7 @@ public class HammerHead extends HttpServlet
 					// in order to satisfy the remote admin lesson.
 					
 					s.setHasHackableAdmin( screen.getRole() );
-
+									
 					lesson.handleRequest( s );
 					s.setCurrentMenu( lesson.getCategory().getRanking() );
 				}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java

@@ -4,6 +4,7 @@ import java.util.ArrayList;
 import java.util.List;
 
 import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
 
 import org.owasp.webgoat.session.WebSession;
@@ -14,8 +15,8 @@ import org.owasp.webgoat.session.WebSession;
  *  under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
  *  this software.
  *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created    November 02, 2006
  */
 public class ForcedBrowsing extends LessonAdapter
 {
@@ -28,8 +29,18 @@ public class ForcedBrowsing extends LessonAdapter
 	 */
 	protected Element createContent( WebSession s )
 	{
-		// just to get the generic how to text.
-		return super.createContent(s);
+		ElementContainer ec = new ElementContainer();
+
+		if ( s.completedHackableConfig() )
+		{				
+			makeSuccess( s );		
+		}
+		else 
+		{
+			ec.addElement( "Can you try to force browse to the config page which  "
+					+ "should only be accessed by maintenance personnel.");
+		}
+		return ec;
 	}
 
 
@@ -53,15 +64,14 @@ public class ForcedBrowsing extends LessonAdapter
 	public List getHints()
 	{
 		List hints = new ArrayList();
-		hints.add( "Lesson Hint 1" );
-		hints.add( "Lesson Hint 2" );
-
+		hints.add( "Try to guess the URL for the config page" );
+		hints.add( "The config page is guessable and hackable" );
+		hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." );
+		
 		return hints;
 	}
 
 
-
-
 	private final static Integer DEFAULT_RANKING = new Integer(15);
 
 	protected Integer getDefaultRanking()
@@ -80,7 +90,7 @@ public class ForcedBrowsing extends LessonAdapter
 	
 	public Element getCredits()
 	{
-		return new StringElement("This screen created by: Your name could go here");
+		return new StringElement("This screen created by: Sherif Koussa");
 	}
 }
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java

@@ -19,6 +19,16 @@ import org.apache.ecs.html.Table;
 import org.apache.ecs.html.PRE;
 import org.apache.ecs.HtmlColor;
 
+/**
+ *  Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
+ *  Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
+ *  under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
+ *  this software.
+ *
+ * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies</a>
+ * @created    October 28, 2006
+ */
+
 public class LogSpoofing extends LessonAdapter {
 
 	private static final String USERNAME = "username";

webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java

@@ -225,6 +225,8 @@ public class WebSession
 	private String feedbackAddress = "<A HREF=mailto:webgoat@aspectsecurity.com>webgoat@aspectsecurity.com</A>";
 
 	private boolean completedHackableAdmin = false;
+	
+	private boolean completedHackableConfig = false;
 
 	private int currentMenu;
 
@@ -724,6 +726,16 @@ public class WebSession
 		return ( completedHackableAdmin );
 	}
 
+	/**
+	 * Has the user ever hacked the hackable config URL
+	 * 
+	 * @return The hackable config value
+	 */
+	public boolean completedHackableConfig()
+	{
+		return ( completedHackableConfig );
+	}
+		
 	/**
 	 * Gets the authenticated attribute of the WebSession object
 	 * 
@@ -1103,6 +1115,14 @@ public class WebSession
 		}
 	}
 
+	public void setHasHackableConfig ( String url)
+	{
+		if ( config.indexOf("config") >= 0)
+		{
+			completedHackableConfig = true;
+		}	
+	}
+	
 	/**
 	 * @return Returns the isDebug.
 	 */

webgoat/main/project/WebContent/WEB-INF/web.xml

@@ -227,6 +227,11 @@
       <url-pattern>/attack</url-pattern>
     </servlet-mapping>
     
+    <servlet-mapping>
+      <servlet-name>WebGoat</servlet-name>
+      <url-pattern>/config</url-pattern>    
+    </servlet-mapping>
+
     <servlet-mapping>
       <servlet-name>LessonSource</servlet-name>
       <url-pattern>/source</url-pattern>

webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html

@@ -1,9 +1,21 @@
-<div align="Center">
-<p><b>Lesson Plan Title:</b> How to Exploit Forced Browsing</p>
-</div>
-<!-- Start Instructions -->
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b>Forced Browsing. </p>
+ </div>
+ 
 <p><b>Concept / Topic To Teach:</b> </p>
-How to Exploit Forced Browsing
+How to Exploit Forced Browsing.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible. 
+
+One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found
+</div>
 <p><b>General Goal(s):</b> </p>
-This lesson needs a creator!
-<!-- Stop Instructions -->
+<!-- Start Instructions -->
+* Your goal should be to try to guess the URL for the "config" interface.<br>
+* The "config" URL is only available to the maintenance personnel.<br>
+* The application doesn't check for horizontal priveleges.
+<!-- Stop Instructions -->