Restructured the baseline to remove extra src/main directory structure. Added eclipes project file

git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507

webapp/META-INF/MANIFEST.MF

@@ -0,0 +1 @@
+Manifest-Version: 1.0

webapp/WEB-INF/mvc-dispatcher-servlet.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:p="http://www.springframework.org/schema/p" 
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans 
+	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+	   		http://www.springframework.org/schema/context
+	   		http://www.springframework.org/schema/context/spring-context-3.0.xsd
+			http://www.springframework.org/schema/mvc 
+			http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
+
+	<context:component-scan base-package="org.owasp.webgoat.lessons" />
+	
+	<!--
+	put custom validators here.  E.g.:
+	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
+	-->
+	
+	<!-- Activates various annotations to be detected in bean classes -->
+	<context:annotation-config />
+	
+	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
+	<mvc:annotation-driven /> 
+	
+	<!-- Import Tiles-related configuration -->
+	<import resource="tiles-context.xml" />
+	
+		
+	<!-- Declare a view resolver -->
+	<!-- Take note of the order. Since we're using TilesViewResolver as well 
+		 We need to define which ViewResolver is called first. 
+		 We chose this InternalResourceViewResolver to be at the bottom order -->
+	<bean 
+		id="viewResolver" 
+		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
+    	p:prefix="/WEB-INF/pages/" 
+    	p:suffix=".jsp" 
+    	p:order="1"/>
+    	
+	
+ 	<!-- Register the Customer.properties 
+	<bean id="messageSource"
+		class="org.springframework.context.support.ResourceBundleMessageSource">
+		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
+	</bean>
+	-->
+
+</beans>

webapp/WEB-INF/pages/layouts/genericLesson.jsp

@@ -0,0 +1,70 @@
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib uri="http://tiles.apache.org/tags-tiles" prefix="tiles"%>
+<%@ page 
+	language="java" 
+	contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"
+    import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*" 
+	errorPage=""
+	isELIgnored="false" %>
+	   
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
+		<title><tiles:insertAttribute name="title-content" /></title>
+		<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
+		<link rel="stylesheet" href="css/lesson.css" type="text/css" />
+		<link rel="stylesheet" href="css/menu.css" type="text/css" />
+		<link rel="stylesheet" href="css/layers.css" type="text/css" />
+		<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
+	</head>
+	
+	<body>
+		<%
+		Course course = ((Course)session.getAttribute("course"));
+		WebSession webSession = ((WebSession)session.getAttribute("websession"));
+		
+		// pcs 8/29/2012 - HACK  
+		// 
+		// Legacy lessons result in a call to WebSession.update().  Among other things, that call
+		// sets the previous and current screens.  The latter determines the title that is displayed 
+		// in the webgoat banner.  
+		//
+		// The new Spring-MVC jsps, among which is this genericLesson.jsp, are loaded via our dispatcher servlet
+		// and does not pass through the code path that results in that update() call.  
+		// 
+		// As a result, we must call update() explicitly here.  If we refactor away that legacy code as part
+		// of webgoat 6 development, we will need to get rid of the call below.
+		//
+		webSession.update(request, response, "genericLesson");
+		AbstractLesson currentLesson = webSession.getCurrentLesson();
+		%>
+		
+		<div id="header-style"><tiles:insertAttribute name="header-content" /></div>
+		<div><tiles:insertAttribute name="menu-content" /></div>
+		<div id="lessonTitle" align="right"><%= currentLesson.getTitle() %></div>
+		<div id="primary-style"">
+			<div id="lessonArea">			
+				<tiles:insertAttribute name="hints-params-cookies" />
+				<div id="twoCol">
+			 	 	<div id="menuSpacer"></div>
+			 	 	<div id="lessonAreaTop">	 	 	
+					    <div id="training_wrap">
+							<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div>
+							<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=WebGoatI18N.get("RestartLesson")%></a></div>
+						</div>
+					</div>
+				</div>	
+				<div id="lessonContent">
+					<tiles:insertAttribute name="primary-content" />
+				</div>
+			</div>
+		</div>	
+		<div id="footer-style"><tiles:insertAttribute name="footer-content" /></div>
+	</body>
+</html>

webapp/WEB-INF/pages/lessons/httpBasics.jsp

@@ -0,0 +1,77 @@
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib uri="http://tiles.apache.org/tags-tiles" prefix="tiles"%>
+<%@taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
+<%@ page 
+	language="java" 
+	contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"
+    import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson" 
+	errorPage=""
+	isELIgnored="false" %>
+	 
+ <div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;">
+ 	<div align="Center"> 
+		<p><b>Lesson Plan Title:</b> Http Basics </p>
+		</div>
+		<p><b>Concept / Topic To Teach:</b> </p>
+	This lesson presents the basics for understanding the transfer of data between the browser and the web application.<br>
+	
+	<div align="Left"> 
+		<p>
+			<b>How HTTP works:</b>
+		</p>
+		All HTTP transactions follow the same general format. Each client request and server response has three parts:  the request or response line, a header section, and the entity body. The client initiates a transaction as follows: <br>
+		<br>
+		The client contacts the server and sends a document request <br>
+	</div>
+	<br>
+
+	<ul>GET /index.html?param=value HTTP/1.0</ul>
+	Next, the client sends optional header information to inform the server of its configuration and the document formats it will accept.<br>
+	<br>
+	<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
+	After sending the request and headers, the client may send additional data. This data is mostly used by CGI programs using the POST method.<br>
+	<p><b>General Goal(s):</b> </p>
+	<%-- Start Instructions --%>	
+	Enter your name in the input field below and press "go" to submit. The server will accept the request, reverse the input, and display it back to the user, illustrating the basics of handling an HTTP request.
+	<br/><br/>
+	The user should become familiar with the features of WebGoat by manipulating the above 
+	buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using WebScarab for the first time.
+	<%-- Stop Instructions --%>
+
+	<br/>
+	<br/>
+	<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a>
+</div>
+ 
+ 
+<%
+	Course course = ((Course)session.getAttribute("course"));
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+%>	 
+ 
+ <%--
+	This form posts to httpBasics.do.  However, we must append the "menu" request parameter in order
+	for the current submenu to display properly, hence the getLink() call to build the form's 
+	action attribute below. 
+  --%>
+ <form:form method="POST" action="<%= webSession.getCurrentLesson().getLink() %>">
+ 	<p>
+ 		Enter your name in the input field below and press "go" to submit. 
+ 		The server will accept the request, reverse the input, and display it back to the user, 
+ 		illustrating the basics of handling an HTTP request.
+ 	</p> 
+		
+	<p>
+		The user should become familiar with the features of WebGoat by manipulating 
+		the above buttons to view hints, show the HTTP request parameters, 
+		the HTTP request cookies, and the Java source code. 
+		You may also try using WebScarab for the first time.
+	</p>
+
+	<p>
+		Enter your name: 
+		<form:input path="personName" />
+		<input name="SUBMIT" type="SUBMIT" value="Go!"/>
+	</p>
+</form:form>

webapp/WEB-INF/pages/sections/footer.jsp

@@ -0,0 +1,7 @@
+<div id="bottom">
+	<div align="center">
+		<a href="http://www.owasp.org">OWASP Foundation</a> | 
+		<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> | 
+		<a href="reportBug.jsp">Report Bug</a>
+	</div>
+</div>

webapp/WEB-INF/pages/sections/header.jsp

@@ -0,0 +1,2 @@
+<div id="top"/>
+<div id="topLeft">

webapp/WEB-INF/pages/sections/hintsParamsAndCookies.jsp

@@ -0,0 +1,45 @@
+<%@ page 
+	language="java" 
+	contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"
+    import="java.util.Iterator, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*" 
+	errorPage=""
+	isELIgnored="false" %>
+
+<%
+Course course = ((Course)session.getAttribute("course"));
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+AbstractLesson currentLesson = webSession.getCurrentLesson();
+
+if (webSession.getHint() != null)
+{
+%>
+	<div id="hint" class="info"> <%= webSession.getHint() %> </div><br>
+<%	
+}
+
+if (webSession.getParams() != null)
+{
+	Iterator i = webSession.getParams().iterator();
+	while (i.hasNext())
+	{
+		Parameter p = (Parameter) i.next();
+%>		
+		<div id="parameter" class="info"> <%= p.getName()%> = <%= p.getValue() %></div><br>
+<%		
+	}
+}
+
+
+if (webSession.getCookies() != null)
+{
+	Iterator i = webSession.getCookies().iterator();
+	while (i.hasNext())
+	{
+		Cookie c = (Cookie) i.next();
+%>		
+		<div id="cookie" class="info"> <%= c.getName() %> <img src="images/icons/rightArrow.jpg" alt="\"><%= c.getValue() %></div><br>
+<%
+	}
+}
+%>

webapp/WEB-INF/pages/sections/menu.jsp

@@ -0,0 +1,202 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*" 
+	errorPage=""  %>
+<%
+Course course = ((Course)session.getAttribute("course"));
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+AbstractLesson currentLesson = webSession.getCurrentLesson();
+%>
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+
+<%
+final String menuPrefix = WebSession.MENU;
+final String submenuPrefix = "submenu";
+final String mbutPrefix = "mbut";
+String printHint = "";
+String printParameters = "";
+String printCookies = "";
+String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
+
+List categories = course.getCategories();
+
+StringBuffer buildList = new StringBuffer();
+
+	Iterator iter1 = categories.iterator();
+    while(iter1.hasNext())
+    {
+        Category category = (Category)iter1.next();
+        
+        buildList.append("'");
+        buildList.append(menuPrefix);
+        buildList.append(category.getRanking());
+        buildList.append("','");
+        buildList.append(submenuPrefix);
+        buildList.append(category.getRanking());
+        buildList.append("','");
+        buildList.append(mbutPrefix);
+        buildList.append(category.getRanking());
+        buildList.append("'");
+        
+        if (iter1.hasNext())
+        		buildList.append(",");
+    }%>
+<body class="page" onload="setMenuMagic1(10,40,10,'menubottom',<%=buildList%>);trigMM1url('<%= menuPrefix %>',1);MM_preloadImages('images/buttons/hintLeftOver.jpg','images/buttons/hintOver.jpg','images/buttons/hintRightOver.jpg','images/buttons/paramsOver.jpg','images/buttons/htmlOver.jpg','images/buttons/cookiesOver.jpg','images/buttons/javaOver.jpg','images/buttons/plansOver.jpg','images/buttons/logout.jpg','images/buttons/helpOver.jpg'); initIframe();">
+
+	<div id="wrap">
+	<%
+	int topCord = 140;
+	int zIndex = 105;
+	
+		Iterator iter2 = categories.iterator();
+		while(iter2.hasNext())
+		{
+		    Category category = (Category)iter2.next();
+		%>
+		<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>',1);return false" onfocus="if(this.blur)this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
+		<%
+		topCord=topCord + 30;
+		zIndex=zIndex + 1;
+		}
+		
+			int topSubMenu = 72;
+		
+			Iterator iter3 = categories.iterator();
+			while(iter3.hasNext())
+			{		    
+			    	Category category = (Category)iter3.next();
+				List lessons = webSession.getLessons(category);
+			    Iterator iter4 = lessons.iterator();
+			%>    
+		<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
+	  		<table width="150" border="0" cellspacing="6" cellpadding="0"><%
+
+	  		topSubMenu=topSubMenu+30;
+			zIndex=zIndex + 1;
+			
+		  	while(iter4.hasNext())
+			{		  	    
+		    		AbstractLesson lesson = (AbstractLesson)iter4.next();
+		    
+			%><tr>
+	      		<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
+	    		</tr>
+	    		<% if (lesson instanceof RandomLessonAdapter) {
+					RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
+					String[] stages = rla.getStages();
+					if (stages != null)
+					for (int i=0; i<stages.length; i++) {
+	    		%>
+			    		<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a>
+						</td></tr>
+				<% 
+					}
+				}
+				%>
+			<%
+			}
+			%>
+	  		</table>
+		</div><%
+			}%>
+		<div id="top"></div>
+		<div id="topLeft">
+		<div align="left">
+		<% if (currentLesson.getAvailableLanguages().size() != 0 ) 
+		{
+		%>
+		<form method="get" action="attack" style="display: inline;">
+		Choose another language: <select name="language" size="1"
+			onChange="changeLanguage();">
+			<%
+					  			for(String lang: currentLesson.getAvailableLanguages()){
+					  				%>
+			<option value="<%=lang%>"
+				<% if(webSession.getCurrrentLanguage().equals(lang)) out.println("selected" );%>><%=lang%>
+			</option>
+			<%
+					  					
+					  			}
+			%>
+		</select></form>
+		<%
+		} else {
+		%>
+			Internationalization is not available for this lesson
+		<%
+		}
+		%>
+		</div></div>
+		<div align="right" id="topRight">
+		<a href="attack?action=Logout" onmouseout="MM_swapImgRestore()"
+			onmouseover="MM_swapImage('logout','','images/buttons/logoutOver.jpg',1)"><img
+			src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
+			height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
+			onmouseout="MM_swapImgRestore()"
+			onmouseover="MM_swapImage('help','','images/buttons/helpOver.jpg',1)"><img
+			src="images/buttons/help.jpg" alt="Help" name="help" width="22"
+			height="22" border="0" id="help" /></a>
+		</div>
+			<div id="hMenuBar">
+				<% 
+				if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS))
+				{
+				%>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down','group1','hintLeft','',1)" 
+				onmouseover="MM_nbGroup('over','hintLeft','images/buttons/hintLeftOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
+				</a>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hint','',1)" 
+				onmouseover="MM_nbGroup('over','hint','images/buttons/hintOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
+				</a>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hintRight','',1)" 
+				onmouseover="MM_nbGroup('over','hintRight','images/buttons/hintRightOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
+				</a>
+				<%}%>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)" 
+				onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="87" height="20" border="0" id="params"/>
+				</a>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)" 
+				onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
+				</a>
+				<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)" 
+				onmouseover="MM_nbGroup('over','plans','images/buttons/plansOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
+				</a>
+				<% 
+				if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE))
+				{
+				%>
+				<a href="source" onclick="makeWindow(this.href+ '?source=true', 'Java Source');return false;" target="javaWin"
+				onmouseover="MM_nbGroup('over','java','images/buttons/javaOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
+				</a>
+				<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');return false;" target="javaWin"
+				onmouseover="MM_nbGroup('over','solutions','images/buttons/solutionsOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
+				</a>
+				<%}%>
+								
+			</div>
+			<div id="twoCol">
+	 	 	<div id="menuSpacer"></div>
+
+	  	</div>
+	</div>
+</body>
+</html>

webapp/WEB-INF/server-config.wsdd

@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
+ <globalConfiguration>
+  <parameter name="sendMultiRefs" value="true"/>
+  <parameter name="disablePrettyXML" value="true"/>
+  <parameter name="adminPassword" value="admin"/>
+<!--
+  <parameter name="attachments.Directory" value="C:\webgoat\tomcat\webapps\WebGoat\WEB-INF\attachments"/>
+-->
+  <parameter name="dotNetSoapEncFix" value="true"/>
+  <parameter name="enableNamespacePrefixOptimization" value="true"/>
+  <parameter name="sendXMLDeclaration" value="true"/>
+<!--
+  <parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>
+-->
+  <parameter name="sendXsiTypes" value="true"/>
+  <requestFlow>
+   <handler type="java:org.apache.axis.handlers.JWSHandler">
+    <parameter name="scope" value="session"/>
+   </handler>
+   <handler type="java:org.apache.axis.handlers.JWSHandler">
+    <parameter name="scope" value="request"/>
+    <parameter name="extension" value=".jwr"/>
+   </handler>
+  </requestFlow>
+ </globalConfiguration>
+ <handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
+ <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
+ <handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
+ <service name="WSDLScanning" provider="java:RPC">
+  <parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
+  <parameter name="className" value="org.owasp.webgoat.lessons.WSDLScanning"/>
+ </service>
+ <service name="SoapRequest" provider="java:RPC">
+  <parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
+  <parameter name="className" value="org.owasp.webgoat.lessons.SoapRequest"/>
+ </service>
+ <service name="AdminService" provider="java:MSG">
+  <parameter name="allowedMethods" value="AdminService"/>
+  <parameter name="enableRemoteAdmin" value="false"/>
+  <parameter name="className" value="org.apache.axis.utils.Admin"/>
+  <namespace>http://xml.apache.org/axis/wsdd/</namespace>
+ </service>
+ <service name="Version" provider="java:RPC">
+  <parameter name="allowedMethods" value="getVersion"/>
+  <parameter name="className" value="org.apache.axis.Version"/>
+ </service>
+ <service name="WsSqlInjection" provider="java:RPC">
+  <parameter name="allowedMethods" value="getCreditCard"/>
+  <parameter name="className" value="org.owasp.webgoat.lessons.WsSqlInjection"/>
+ </service>
+ <transport name="http">
+  <requestFlow>
+   <handler type="URLMapper"/>
+   <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
+  </requestFlow>
+  <parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/>
+  <parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
+  <parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/>
+  <parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/>
+  <parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/>
+  <parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
+ </transport>
+ <transport name="local">
+  <responseFlow>
+   <handler type="LocalResponder"/>
+  </responseFlow>
+ </transport>
+</deployment>

webapp/WEB-INF/spring-security.xml

@@ -0,0 +1,28 @@
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans
+	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+	http://www.springframework.org/schema/security
+	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+	<!--
+		PCS 8/27/2012
+		NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
+		That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
+	-->  
+    <http auto-config='true'>    	
+        <intercept-url pattern="/**" access="ROLE_USER" />
+        <http-basic/>
+    </http>
+
+    <!-- Authentication Manager -->
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+        	<user-service>
+        		<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
+            	<user name="guest" password="guest" authorities="ROLE_USER" />
+        	</user-service>
+    	</authentication-provider>
+    </authentication-manager>  
+    
+</beans:beans>

webapp/WEB-INF/tiles-context.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+	xmlns:p="http://www.springframework.org/schema/p" 
+	xsi:schemaLocation="
+		http://www.springframework.org/schema/beans 
+		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+
+	<!--
+	Note: 
+		Spring 3.0 requires Tiles 2.1.2 or above, with explicit support for Tiles 2.2. 
+		Tiles 2.1's EL support will be activated by default when running on JSP 2.1 or above 
+		and when the Tiles EL module is present in the classpath. 
+	
+	See: 
+		JIRA report for TilesViewResolver 2: https://jira.springsource.org/browse/SPR-5689
+		Apache Tiles 2: http://tiles.apache.org/
+	-->
+	
+	<!-- Convenience subclass of UrlBasedViewResolver that supports TilesView (i.e. Tiles definitions) and custom subclasses of it. -->
+	<!-- Don't forget to set the order if you declared other ViewResolvers -->
+	<!-- See http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/view/tiles2/TilesViewResolver.html  -->
+	<bean id="tilesviewResolver" class="org.springframework.web.servlet.view.tiles2.TilesViewResolver" 
+			p:order="0"/>
+	
+	<!-- Helper class to configure Tiles 2.x for the Spring Framework -->
+	<!-- See http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/view/tiles2/TilesConfigurer.html -->
+	<!-- The actual tiles templates are in the tiles-definitions.xml -->
+	<bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2.TilesConfigurer">
+		<property name="definitions">
+			<list>
+				<value>/WEB-INF/tiles-definitions.xml</value>
+			</list>
+		</property>
+	</bean> 
+	
+</beans>

webapp/WEB-INF/tiles-definitions.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE tiles-definitions PUBLIC 
+	"-//Apache Software Foundation//DTD Tiles Configuration 2.1//EN" 
+	"http://tiles.apache.org/dtds/tiles-config_2_1.dtd">       
+<tiles-definitions>
+
+    <!-- template for generic lessons -->
+	<definition name="generic-lesson" template="/WEB-INF/pages/layouts/genericLesson.jsp">
+		<put-attribute name="header-content" value="/WEB-INF/pages/sections/header.jsp" />
+		<put-attribute name="title-content" cascade="true" value="" />
+		<put-attribute name="menu-content" value="/WEB-INF/pages/sections/menu.jsp" />
+		<put-attribute name="hints-params-cookies" value="/WEB-INF/pages/sections/hintsParamsAndCookies.jsp" />
+		<put-attribute name="primary-content" value="" />
+		<put-attribute name="footer-content" value="/WEB-INF/pages/sections/footer.jsp" />
+	</definition>
+	
+	<!-- vulnerability-specific lesson pages -->
+	<definition name="http-basics" extends="generic-lesson">
+		<put-attribute name="title-content" cascade="true" value="HTTP Basics"/>
+		<put-attribute name="primary-content" value="/WEB-INF/pages/lessons/httpBasics.jsp" />
+	</definition>	
+	
+</tiles-definitions>

webapp/WEB-INF/web.xml

@@ -0,0 +1,401 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app 
+    xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+    version="2.5">
+
+    <!-- General description of your web application -->
+    <display-name>WebGoat</display-name>
+    <description>
+      This web application is designed to demonstrate web
+      application security flaws for the purpose of educating
+      developers and security professionals about web
+      application security problems. Please contact Bruce Mayhew 
+      (webgoat@owasp.org) if you have any questions.
+    </description>
+
+
+
+   <!-- Context initialization parameters that define shared
+         String constants used within your application, which
+         can be customized by the system administrator who is
+         installing your application.  The values actually
+         assigned to these parameters can be retrieved in a
+         servlet or JSP page by calling:
+
+             String value =
+               getServletContext().getInitParameter("name");
+
+         where "name" matches the <param-name> element of
+         one of these initialization parameters.
+
+         You can define any number of context initialization
+         parameters, including zero.
+    -->
+
+    <context-param>
+      <param-name>email</param-name>
+      <param-value>WebGoat@owasp.org</param-value>
+      <description>
+        The EMAIL address of the administrator to whom questions
+        and comments about this application should be addressed.
+      </description>
+    </context-param>
+    
+    <!-- spring MVC -->
+  	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			/WEB-INF/mvc-dispatcher-servlet.xml,
+			/WEB-INF/spring-security.xml
+		</param-value>
+  	</context-param>
+  
+
+    <!-- Servlet definitions for the servlets that make up
+         your web application, including initialization
+         parameters.  With Tomcat, you can also send requests
+         to servlets not listed here with a request like this:
+
+           http://localhost:8080/{context-path}/servlet/{classname}
+
+         but this usage is not guaranteed to be portable.  It also
+         makes relative references to images and other resources
+         required by your servlet more complicated, so defining
+         all of your servlets (and defining a mapping to them with
+         a servlet-mapping element) is recommended.
+
+         Servlet initialization parameters can be retrieved in a
+         servlet or JSP page by calling:
+
+            String value =
+               getServletConfig().getInitParameter("name");
+
+         where "name" matches the <param-name> element of
+         one of these initialization parameters.
+
+         You can define any number of servlets, including zero.
+    -->
+
+    <servlet>
+      <servlet-name>AxisServlet</servlet-name>
+      <display-name>Apache-Axis Servlet</display-name>
+      <servlet-class>
+          org.apache.axis.transport.http.AxisServlet
+      </servlet-class>
+    </servlet>
+ 
+    <servlet>
+      <servlet-name>AdminServlet</servlet-name>
+      <display-name>Axis Admin Servlet</display-name>
+      <servlet-class>
+          org.apache.axis.transport.http.AdminServlet
+      </servlet-class>
+      <load-on-startup>100</load-on-startup>
+    </servlet>
+
+    <servlet>
+      <servlet-name>SOAPMonitorService</servlet-name>
+      <display-name>SOAPMonitorService</display-name>
+      <servlet-class>
+          org.apache.axis.monitor.SOAPMonitorService
+      </servlet-class>
+      <init-param>
+        <param-name>SOAPMonitorPort</param-name>
+        <param-value>5001</param-value>
+      </init-param>
+      <load-on-startup>100</load-on-startup>
+    </servlet>
+ 
+    <servlet>
+      <servlet-name>WebGoat</servlet-name>
+      <description>
+        This servlet plays the "controller" role in the MVC architecture
+        used in this application.
+
+        The initialization parameter namess for this servlet are the
+        "servlet path" that will be received by this servlet (after the
+        filename extension is removed).  The corresponding value is the
+        name of the action class that will be used to process this request.
+      </description>
+      <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
+
+ 	  <init-param>
+      		<param-name>email</param-name>
+      		<param-value>WebGoat@owasp.org</param-value>
+      		<description>
+        		The EMAIL address of the administrator to whom questions
+        		and comments about this application should be addressed.
+      		</description>
+      </init-param>
+      
+	  <init-param>
+            <param-name>debug</param-name>
+            <param-value>false</param-value>
+      </init-param>
+
+      <init-param>
+            <param-name>CookieDebug</param-name>
+            <param-value>true</param-value>
+      </init-param>
+
+      <init-param>
+            <param-name>DefuseOSCommands</param-name>
+            <param-value>false</param-value>
+      </init-param>
+      
+      <init-param>
+            <param-name>Enterprise</param-name>
+            <param-value>true</param-value>
+      </init-param>
+      
+      <init-param>
+            <param-name>CodingExercises</param-name>
+            <param-value>true</param-value>
+      </init-param>
+      
+      <init-param>
+      		<!-- Specify an address where you would like comments to be sent.  -->
+      		<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
+      		<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For 
+      			 example, replace "<" with "&lt;" and ">" with "&gt;". -->
+            <param-name>FeedbackAddress</param-name>
+            <param-value>
+				&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
+            </param-value>
+      </init-param>
+      
+      <init-param>
+            <param-name>DatabaseDriver</param-name>
+            <param-value>
+		    	org.hsqldb.jdbcDriver
+            </param-value>
+      </init-param>
+
+      <init-param>
+            <param-name>DatabaseConnectionString</param-name>
+            <!-- 
+            The string "${USER}" in the connection string will be replaced by the active username
+            when making a connection.
+             -->
+            <param-value>
+				jdbc:hsqldb:mem:${USER}
+		    </param-value>
+      </init-param>
+
+      <!-- Load this servlet at server startup time -->
+
+      <load-on-startup>5</load-on-startup>
+
+    </servlet>
+
+
+    <servlet>
+      <servlet-name>LessonSource</servlet-name>
+      <description>
+        This servlet returns the Java source of the current lesson. 
+      </description>
+      <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
+    </servlet>
+
+    <servlet>
+      <servlet-name>Catcher</servlet-name>
+      <description>
+        This servlet catches any posts and marks the appropriate lesson property. 
+      </description>
+      <servlet-class>org.owasp.webgoat.Catcher</servlet-class>
+    </servlet>
+
+    <servlet>
+	 <servlet-name>conf</servlet-name>
+	 <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
+    </servlet>
+    
+    
+    <!-- spring MVC -->
+  <servlet>
+  	<servlet-name>mvc-dispatcher</servlet-name>
+    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <servlet-mapping>
+ 	<servlet-name>mvc-dispatcher</servlet-name>
+    <url-pattern>*.do</url-pattern>
+  </servlet-mapping>
+  
+  <listener>
+    <listener-class>
+      org.springframework.web.context.ContextLoaderListener
+    </listener-class>
+  </listener>
+  <!-- end spring MVC --> 
+
+  <!-- spring security -->
+  <filter>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+  <!-- end spring security -->
+   
+
+    
+    
+    <!-- Define mappings that are used by the servlet container to
+         translate a particular request URI (context-relative) to a
+         particular servlet.  The examples below correspond to the
+         servlet descriptions above.  Thus, a request URI like:
+
+           http://localhost:8080/{contextpath}/graph
+
+         will be mapped to the "graph" servlet, while a request like:
+
+           http://localhost:8080/{contextpath}/saveCustomer.do
+
+         will be mapped to the "controller" servlet.
+
+         You may define any number of servlet mappings, including zero.
+         It is also legal to define more than one mapping for the same
+         servlet, if you wish to.
+    -->
+
+
+    <servlet-mapping>
+      <servlet-name>AxisServlet</servlet-name>
+      <url-pattern>/servlet/AxisServlet</url-pattern>
+    </servlet-mapping>
+ 
+    <servlet-mapping>
+      <servlet-name>AxisServlet</servlet-name>
+      <url-pattern>*.jws</url-pattern>
+    </servlet-mapping>
+ 
+    <servlet-mapping>
+      <servlet-name>AxisServlet</servlet-name>
+      <url-pattern>/services/*</url-pattern>
+    </servlet-mapping>
+ 
+    <servlet-mapping>
+      <servlet-name>SOAPMonitorService</servlet-name>
+      <url-pattern>/SOAPMonitor</url-pattern>
+    </servlet-mapping>
+ 
+    <!-- uncomment this if you want the admin servlet -->
+    <!--
+    <servlet-mapping>
+      <servlet-name>AdminServlet</servlet-name>
+      <url-pattern>/servlet/AdminServlet</url-pattern>
+    </servlet-mapping>
+     -->
+
+    <servlet-mapping>
+      <servlet-name>WebGoat</servlet-name>
+      <url-pattern>/attack</url-pattern>
+    </servlet-mapping>
+    
+    <servlet-mapping>
+      <servlet-name>LessonSource</servlet-name>
+      <url-pattern>/source</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+      <servlet-name>Catcher</servlet-name>
+      <url-pattern>/catcher</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+      <servlet-name>conf</servlet-name>
+      <url-pattern>/conf</url-pattern>
+    </servlet-mapping>
+    
+    
+
+    <!-- Define the default session timeout for your application,
+         in minutes.  From a servlet or JSP page, you can modify
+         the timeout for a particular session dynamically by using
+         HttpSession.getMaxInactiveInterval(). -->
+
+    <session-config>
+    	<!-- 2 days -->
+        <session-timeout>2880</session-timeout>
+    </session-config>
+
+    <mime-mapping>
+        <extension>wmv</extension>
+        <mime-type>video/x-ms-wmv</mime-type>
+    </mime-mapping>
+
+	<!-- Define reference to the user database for looking up roles -->
+	<resource-env-ref>
+	    <description>
+	      Link to the UserDatabase instance from which we request lists of
+	      defined role names.  Typically, this will be connected to the global
+	      user database with a ResourceLink element in server.xml or the context
+	      configuration file for the Manager web application.
+	    </description>
+	    <resource-env-ref-name>users</resource-env-ref-name>
+	    <resource-env-ref-type>
+	      org.apache.catalina.UserDatabase
+	    </resource-env-ref-type>
+	</resource-env-ref>
+	
+
+	<!-- Define a Security Constraint on this Application -->
+	<security-constraint>
+	    <web-resource-collection>
+	      <web-resource-name>WebGoat Application</web-resource-name>
+	      <url-pattern>/*</url-pattern>
+	    </web-resource-collection>
+	    <auth-constraint>
+	       <role-name>webgoat_user</role-name>
+	       <role-name>webgoat_admin</role-name>
+	       <role-name>webgoat_challenge</role-name>
+	    </auth-constraint>
+	</security-constraint>
+	
+	<security-constraint>
+	    <web-resource-collection>
+	      <web-resource-name>WebGoat Application Source</web-resource-name>
+	      <url-pattern>/JavaSource/*</url-pattern>
+	    </web-resource-collection>
+	    <auth-constraint>
+	       <role-name>server_admin</role-name>
+	    </auth-constraint>
+	</security-constraint>
+   
+	
+	<!-- Login configuration uses BASIC authentication -->
+	<login-config>
+	    <auth-method>BASIC</auth-method>
+	    <realm-name>WebGoat Application</realm-name>
+	</login-config>
+	
+	<!-- Security roles referenced by this web application -->
+	<security-role>
+	    <description>The role that is required to administrate WebGoat</description>
+	    <role-name>webgoat_admin</role-name>
+	</security-role>
+	
+	<security-role>
+	    <description>The role that is required to start the challenge log viewer</description>
+	    <role-name>webgoat_challenge</role-name>
+	</security-role>
+
+	<security-role>
+	    <description>The role that is required to use WebGoat</description>
+	    <role-name>webgoat_user</role-name>
+	</security-role>
+
+	<security-role>
+	    <description>This role is for admins only</description>
+	    <role-name>server_admin</role-name>
+	</security-role>
+
+</web-app>
+

webapp/WEB-INF/webgoat-class.properties

@@ -0,0 +1,60 @@
+category.General.ranking=11
+lesson.HttpBasics.ranking=10
+lesson.HttpSplitting.ranking=20
+lesson.ThreadSafetyProblem.ranking=30
+
+category.Broken\ Authentication\ and\ Session\ Management.ranking=21
+lesson.BasicAuthentication.ranking=10
+lesson.WeakAuthenticationCookie.ranking=20
+
+category.Broken\ Access\ Control.ranking=31
+lesson.AccessControlMatrix.ranking=10
+lesson.PathBasedAccessControl.ranking=20
+lesson.RoleBasedAccessControl.hidden=true
+
+category.Cross-Site\ Scripting\ (XSS).ranking=41
+lesson.StoredXss.ranking=10
+lesson.ReflectedXSS.ranking=20
+lesson.CSRF.ranking=30
+lesson.CsrfPromptByPass.ranking=40
+lesson.CsrfTokenByPass.ranking=50
+lesson.CrossSiteScripting.hidden=true
+
+category.Unvalidated\ Parameters.ranking=51
+lesson.HiddenFieldTampering.ranking=10
+lesson.JavaScriptValidation.ranking=20
+lesson.UncheckedEmail.ranking=30
+
+category.Insecure\ Storage.ranking=61
+lesson.Encoding.ranking=10
+
+category.Injection\ Flaws.ranking=71
+lesson.SqlNumericInjection.ranking=10
+lesson.SqlStringInjection.ranking=20
+lesson.CommandInjection.ranking=30
+lesson.LogSpoofing.ranking=40
+lesson.SQLInjection.hidden=true
+
+category.Improper\ Error\ Handling.ranking=81
+lesson.FailOpenAuthentication.ranking=10
+
+category.Code\ Quality.ranking=91
+lesson.HtmlClues.ranking=10
+
+category.Web\ Services.category.ranking=101
+lesson.SoapRequest.ranking=10
+lesson.WSDLScanning.ranking=20
+lesson.WsSqlInjection.ranking=30
+
+category.New\ Lesson.category.ranking=111
+lesson.HowToAddNewLesson.ranking=10
+
+lesson.WeakSessionID.hidden=true
+lesson.BufferOverflow.hidden=true
+lesson.BlindSqlInjection.hidden=true
+lesson.DOS_Login.hidden=true
+lesson.ForcedBrowsing.hidden=true
+lesson.ForgotPassword.hidden=true
+lesson.ParameterInjection.hidden=true
+lesson.RemoteAdminFlaw.hidden=true
+lesson.ChallengeScreen.hidden=true

webapp/WEB-INF/webgoat-lab.properties

@@ -0,0 +1,57 @@
+category.General.ranking=11
+lesson.HttpBasics.ranking=10
+lesson.HttpSplitting.ranking=20
+lesson.ThreadSafetyProblem.ranking=30
+
+category.Broken\ Authentication\ and\ Session\ Management.ranking=21
+lesson.BasicAuthentication.ranking=10
+lesson.WeakAuthenticationCookie.ranking=20
+
+category.Broken\ Access\ Control.ranking=31
+lesson.AccessControlMatrix.ranking=10
+lesson.PathBasedAccessControl.ranking=20
+
+category.Cross-Site\ Scripting\ (XSS).ranking=41
+lesson.StoredXss.ranking=10
+lesson.ReflectedXSS.ranking=20
+lesson.CSRF.ranking=30
+lesson.CsrfPromptByPass.ranking=40
+lesson.CsrfTokenByPass.ranking=50
+
+category.Unvalidated\ Parameters.ranking=51
+lesson.HiddenFieldTampering.ranking=10
+lesson.JavaScriptValidation.ranking=20
+lesson.UncheckedEmail.ranking=30
+
+category.Insecure\ Storage.ranking=61
+lesson.Encoding.ranking=10
+
+category.Injection\ Flaws.ranking=71
+lesson.SqlNumericInjection.ranking=10
+lesson.SqlStringInjection.ranking=20
+lesson.CommandInjection.ranking=30
+lesson.LogSpoofing.ranking=40
+
+category.Improper\ Error\ Handling.ranking=81
+lesson.FailOpenAuthentication.ranking=10
+
+category.Code\ Quality.ranking=91
+lesson.HtmlClues.ranking=10
+
+category.Web\ Services.category.ranking=101
+lesson.SoapRequest.ranking=10
+lesson.WSDLScanning.ranking=20
+lesson.WsSqlInjection.ranking=30
+
+category.New\ Lesson.category.ranking=111
+lesson.HowToAddNewLesson.ranking=10
+
+lesson.WeakSessionID.hidden=true
+lesson.BufferOverflow.hidden=true
+lesson.BlindSqlInjection.hidden=true
+lesson.DOS_Login.hidden=true
+lesson.ForcedBrowsing.hidden=true
+lesson.ForgotPassword.hidden=true
+lesson.ParameterInjection.hidden=true
+lesson.RemoteAdminFlaw.hidden=true
+lesson.ChallengeScreen.hidden=true

webapp/WEB-INF/webgoat-owasp.properties

@@ -0,0 +1,2 @@
+#lesson.BufferOverflow.hidden=true
+lesson.BlindScript.hidden=true

webapp/WEB-INF/webgoat.properties

@@ -0,0 +1,2 @@
+#lesson.BufferOverflow.hidden=true
+lesson.BlindScript.hidden=true

webapp/WEB-INF/webgoat_oracle.sql

@@ -0,0 +1,132 @@
+DROP USER webgoat_guest CASCADE;
+CREATE USER webgoat_guest IDENTIFIED BY webgoat DEFAULT TABLESPACE users;
+GRANT CONNECT, RESOURCE TO webgoat_guest;
+GRANT CREATE PROCEDURE TO webgoat_guest;
+
+CREATE TABLE WEBGOAT_guest.EMPLOYEE (
+    userid INT NOT NULL PRIMARY KEY,
+    first_name VARCHAR(20),
+    last_name VARCHAR(20),
+    ssn VARCHAR(12),
+    password VARCHAR(10),
+    title VARCHAR(20),
+    phone VARCHAR(13),
+    address1 VARCHAR(80),
+    address2 VARCHAR(80),
+    manager INT,
+    start_date CHAR(8),
+    salary INT,
+    ccn VARCHAR(30),
+    ccn_limit INT,
+    disciplined_date CHAR(8),
+    disciplined_notes VARCHAR(60),
+    personal_description VARCHAR(60)
+);
+
+
+CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
+    stmt VARCHAR(32767);cnt NUMBER;
+BEGIN
+    stmt  := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
+    EXECUTE IMMEDIATE stmt INTO cnt;
+    RETURN cnt;
+END;
+/
+
+CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN_BACKUP(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
+    stmt VARCHAR(32767);cnt NUMBER;
+BEGIN
+    stmt  := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
+    EXECUTE IMMEDIATE stmt INTO cnt;
+    RETURN cnt;
+END;
+/
+
+CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE(
+    v_userid IN employee.userid%type, 
+    v_first_name IN employee.first_name%type, 
+    v_last_name IN employee.last_name%type, 
+    v_ssn IN employee.ssn%type, 
+    v_title IN employee.title%type, 
+    v_phone IN employee.phone%type, 
+    v_address1 IN employee.address1%type, 
+    v_address2 IN employee.address2%type, 
+    v_manager IN employee.manager%type, 
+    v_start_date IN employee.start_date%type, 
+    v_salary IN employee.salary%type, 
+    v_ccn IN employee.ccn%type, 
+    v_ccn_limit IN employee.ccn_limit%type, 
+    v_disciplined_date IN employee.disciplined_date%type, 
+    v_disciplined_notes IN employee.disciplined_notes%type, 
+    v_personal_description IN employee.personal_description%type
+)
+AS 
+BEGIN
+    UPDATE EMPLOYEE
+    SET
+        first_name = v_first_name, 
+        last_name = v_last_name, 
+        ssn = v_ssn, 
+        title = v_title, 
+        phone = v_phone, 
+        address1 = v_address1, 
+        address2 = v_address2, 
+        manager = v_manager, 
+        start_date = v_Start_date,
+        salary = v_salary, 
+        ccn = v_ccn, 
+        ccn_limit = v_ccn_limit, 
+        disciplined_date = v_disciplined_date, 
+        disciplined_notes = v_disciplined_notes, 
+        personal_description = v_personal_description
+    WHERE
+        userid = v_userid;
+END;
+/
+
+CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE_BACKUP(
+    v_userid IN employee.userid%type, 
+    v_first_name IN employee.first_name%type, 
+    v_last_name IN employee.last_name%type, 
+    v_ssn IN employee.ssn%type, 
+    v_title IN employee.title%type, 
+    v_phone IN employee.phone%type, 
+    v_address1 IN employee.address1%type, 
+    v_address2 IN employee.address2%type, 
+    v_manager IN employee.manager%type, 
+    v_start_date IN employee.start_date%type, 
+    v_salary IN employee.salary%type, 
+    v_ccn IN employee.ccn%type, 
+    v_ccn_limit IN employee.ccn_limit%type, 
+    v_disciplined_date IN employee.disciplined_date%type, 
+    v_disciplined_notes IN employee.disciplined_notes%type, 
+    v_personal_description IN employee.personal_description%type
+)
+AS 
+BEGIN
+    UPDATE EMPLOYEE
+    SET
+        first_name = v_first_name, 
+        last_name = v_last_name, 
+        ssn = v_ssn, 
+        title = v_title, 
+        phone = v_phone, 
+        address1 = v_address1, 
+        address2 = v_address2, 
+        manager = v_manager, 
+        start_date = v_Start_date,
+        salary = v_salary, 
+        ccn = v_ccn, 
+        ccn_limit = v_ccn_limit, 
+        disciplined_date = v_disciplined_date, 
+        disciplined_notes = v_disciplined_notes, 
+        personal_description = v_personal_description
+    WHERE
+        userid = v_userid;
+END;
+/
+
+
+exit;
+
+

webapp/WEB-INF/webgoat_sqlserver.sql

@@ -0,0 +1,226 @@
+EXEC sp_configure 'clr enabled', 1
+GO
+
+RECONFIGURE
+GO
+
+USE master;
+
+go
+
+DROP LOGIN webgoat_guest;
+
+go
+
+DROP database webgoat;
+
+go
+
+
+CREATE database webgoat;
+
+go
+
+USE webgoat;
+
+go
+
+CREATE SCHEMA webgoat_guest;
+
+go
+
+CREATE LOGIN webgoat_guest with password = '_webgoat';
+
+go
+
+CREATE USER webgoat_guest with default_schema = webgoat_guest;
+
+go
+
+GRANT CONTROL TO webgoat_guest;
+
+go
+
+
+CREATE TABLE WEBGOAT_guest.EMPLOYEE (
+    userid INT NOT NULL PRIMARY KEY,
+    first_name VARCHAR(20),
+    last_name VARCHAR(20),
+    ssn VARCHAR(12),
+    password VARCHAR(10),
+    title VARCHAR(20),
+    phone VARCHAR(13),
+    address1 VARCHAR(80),
+    address2 VARCHAR(80),
+    manager INT,
+    start_date CHAR(8),
+    salary INT,
+    ccn VARCHAR(30),
+    ccn_limit INT,
+    disciplined_date CHAR(8),
+    disciplined_notes VARCHAR(60),
+    personal_description VARCHAR(60)
+);
+
+go
+
+IF EXISTS
+(
+	SELECT	1
+	FROM	INFORMATION_SCHEMA.ROUTINES
+	WHERE		ROUTINE_NAME 	= 'UPDATE_EMPLOYEE'
+		AND	ROUTINE_SCHEMA	= 'webgoat_guest'
+		AND	ROUTINE_TYPE	= 'PROCEDURE'
+)
+BEGIN
+	DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
+	DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
+END
+GO
+
+CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
+    @v_userid INT,
+    @v_first_name VARCHAR(20),
+    @v_last_name VARCHAR(20),
+    @v_ssn VARCHAR(12),
+    @v_title VARCHAR(20),
+    @v_phone VARCHAR(13),
+    @v_address1 VARCHAR(80),
+    @v_address2 VARCHAR(80),
+    @v_manager INT,
+    @v_start_date CHAR(8),
+    @v_salary INT,
+    @v_ccn VARCHAR(30),
+    @v_ccn_limit INT,
+    @v_disciplined_date CHAR(8),
+    @v_disciplined_notes VARCHAR(60),
+    @v_personal_description VARCHAR(60)
+AS
+    UPDATE EMPLOYEE
+    SET
+        first_name = @v_first_name, 
+        last_name = @v_last_name, 
+        ssn = @v_ssn, 
+        title = @v_title, 
+        phone = @v_phone, 
+        address1 = @v_address1, 
+        address2 = @v_address2, 
+        manager = @v_manager, 
+        start_date = @v_Start_date,
+        salary = @v_salary, 
+        ccn = @v_ccn, 
+        ccn_limit = @v_ccn_limit, 
+        disciplined_date = @v_disciplined_date, 
+        disciplined_notes = @v_disciplined_notes, 
+        personal_description = @v_personal_description
+    WHERE
+        userid = @v_userid;
+
+go
+
+CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
+    @v_userid INT,
+    @v_first_name VARCHAR(20),
+    @v_last_name VARCHAR(20),
+    @v_ssn VARCHAR(12),
+    @v_title VARCHAR(20),
+    @v_phone VARCHAR(13),
+    @v_address1 VARCHAR(80),
+    @v_address2 VARCHAR(80),
+    @v_manager INT,
+    @v_start_date CHAR(8),
+    @v_salary INT,
+    @v_ccn VARCHAR(30),
+    @v_ccn_limit INT,
+    @v_disciplined_date CHAR(8),
+    @v_disciplined_notes VARCHAR(60),
+    @v_personal_description VARCHAR(60)
+AS
+    UPDATE EMPLOYEE
+    SET
+        first_name = @v_first_name, 
+        last_name = @v_last_name, 
+        ssn = @v_ssn, 
+        title = @v_title, 
+        phone = @v_phone, 
+        address1 = @v_address1, 
+        address2 = @v_address2, 
+        manager = @v_manager, 
+        start_date = @v_Start_date,
+        salary = @v_salary, 
+        ccn = @v_ccn, 
+        ccn_limit = @v_ccn_limit, 
+        disciplined_date = @v_disciplined_date, 
+        disciplined_notes = @v_disciplined_notes, 
+        personal_description = @v_personal_description
+    WHERE
+        userid = @v_userid;
+
+go
+
+IF EXISTS
+(
+	SELECT	1
+	FROM	INFORMATION_SCHEMA.ROUTINES
+	WHERE		ROUTINE_NAME 	= 'EMPLOYEE_LOGIN'
+		AND	ROUTINE_SCHEMA	= 'webgoat_guest'
+		AND	ROUTINE_TYPE	= 'FUNCTION'
+)
+BEGIN
+	DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
+	DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
+END
+GO
+
+CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
+    @v_id INT,
+    @v_password VARCHAR(100)
+) RETURNS INTEGER
+AS
+    BEGIN
+        DECLARE @sql nvarchar(4000), @count int
+        SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
+        EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
+        return @count
+    END
+GO
+
+CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
+    @v_id INT,
+    @v_password VARCHAR(100)
+) RETURNS INTEGER
+AS
+    BEGIN
+        DECLARE @sql nvarchar(4000), @count int
+        SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
+        EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
+        return @count
+    END
+GO
+
+IF EXISTS
+(
+	SELECT	1
+	FROM	INFORMATION_SCHEMA.ROUTINES
+	WHERE		ROUTINE_NAME 	= 'RegexMatch'
+		AND	ROUTINE_SCHEMA	= 'webgoat_guest'
+		AND	ROUTINE_TYPE	= 'FUNCTION'
+)
+BEGIN
+	DROP FUNCTION webgoat_guest.RegexMatch
+END
+GO
+
+IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch') 
+	DROP ASSEMBLY RegexMatch;
+GO
+
+CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
+GO
+
+CREATE FUNCTION webgoat_guest.RegexMatch (
+@input NVARCHAR(MAX),
+@pattern NVARCHAR(MAX)
+) RETURNS BIT
+AS EXTERNAL NAME  RegexMatch.[UserDefinedFunctions].RegexMatch;
+GO

webapp/css/layers.css

@@ -0,0 +1,2 @@
+#lessonTitle {position:absolute;left:94px;top:75px;width:690px;height:22px;z-index:1;float: right;font-size: 20px;color: #FFFFFF;}
+#hMenuBar {position:absolute;left:245px;top:108px;width:538px;height:22px;z-index:2;}

webapp/css/lesson.css

@@ -0,0 +1,11 @@
+body.page {color: #000000;font-family: Verdana, Tahoma, sans-serif;font-size: 8pt;}
+td {font-family: Verdana, Tahoma, sans-serif;font-size: 8pt; }
+tr {font-family: Verdana, Tahoma, sans-serif;}
+span {font-family: Verdana, Tahoma, sans-serif;}
+.f8-0 {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;}
+.f8-1 {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;}
+.div_tree {padding-left:10px;overflow:visible;}
+.report_tree_link {width:100%;font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;margin-left:2px;padding-right:2px;margin-top:2px;border-spacing:0px;}
+.form_link {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;font-weight: bold;}
+.report_title {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;border: 1px solid #afafaf;background-color: #cfcfef;margin-top:3px;margin-bottom:3px;margin-left:1px;padding:3px;font-weight: bold;}
+.middle {vertical-align:middle;}

webapp/css/menu.css

@@ -0,0 +1,11 @@
+.pviimenudiv td {font-family: "Trebuchet MS", Arial, sans-serif; font-size: 10px}
+.pviimenudiv p {font-family: "Trebuchet MS", Arial, sans-serif; font-size: 10px; margin-top: 12px; margin-bottom: 6px}
+.pviimenudiv b {font-family: Verdana, Arial, Helvetica, sans-serif; font-style: normal; color: #666666}
+.pviimenudiv a:link {color: #333333; text-decoration: underline}
+.pviimenudiv a:visited {color: #0066FF; text-decoration: underline}
+.pviimenudiv a:hover {color: red; text-decoration: underline}
+.pviimenudiv a:active {color: #0066FF; text-decoration: underline}
+.pviimenudivstage a:link {color: #333333; font-size: 9px; display: block; margin-left: 2em; }
+.pviimenudivstage a:visited {color: #0066FF; font-size: 9px;  display: block; margin-left: 2em; }
+.pviimenudivstage a:hover {color: red; font-size: 9px;  display: block; margin-left: 2em; }
+.pviimenudivstage a:active {color: #0066FF; font-size: 9px;  display: block; margin-left: 2em; }

webapp/css/webgoat.css

@@ -0,0 +1,304 @@
+body{ 
+	min-width: 800px;
+	font-family: Arial,sans-serif;
+	color: #333333;
+	line-height: 1.166;	
+	margin: 0px;
+	padding: 0px;
+}
+
+a:link, a:visited, a:hover {
+	color: #666666;
+	text-decoration: none;
+}
+
+a:hover {
+	text-decoration: underline;
+	color: red;
+}
+
+h1, h2, h3, h4, h5, h6 {
+	font-family: Arial,sans-serif;
+	margin: 0px;
+	padding: 0px;
+}
+
+h1{
+	font-family: Verdana,Arial,sans-serif;
+	font-size: 120%;
+	color: #333333;
+}
+
+h2{
+	font-size: 114%;
+	color: #333333;
+}
+
+h3{
+	font-size: 100%;
+	color: #334d55;
+}
+
+h4{
+	font-size: 100%;
+	font-weight: normal;
+	color: #333333;
+}
+
+h5{
+	font-size: 100%;
+	color: #334d55;
+}
+
+ul{
+	list-style-type: square;
+}
+
+ul ul{
+	list-style-type: disc;
+}
+
+ul ul ul{
+	list-style-type: none;
+}
+
+#navBar{
+	margin: 0 79% 0 0;
+	padding: 0px;
+	background-color: #999999;
+}
+
+#twoCol{
+	margin: 0;
+	padding-left: 13px;
+}
+
+#siteName{
+	margin: 0px;
+	padding: 0px 0px 10px 10px;
+}
+
+#lessonName{
+	padding: 5px 0px 10px 10px;
+}
+
+#globalNav{
+	color: #cccccc;
+	padding: 0px 10px;
+	white-space: nowrap;
+}
+
+#globalNav img{
+	display: block;
+}
+
+#globalNav a {
+	font-size: 10px;
+	padding: 0px 4px 0px 0px; 
+}
+
+.lessonContent{
+	padding: 10px 10px 10px 10px; 
+	font-size: 10px;
+}
+
+.lessonText h3{
+	padding: 30px 0px 5px 0px;
+	text-align: center;
+}
+
+.lessonText img{
+	float: left;
+	padding: 0px 10px 0px 0px;
+	margin: 0 5px 5px 0;
+}
+
+#bottom{
+	color: #999999;
+	clear: both;
+	font-size: 10px;
+	padding-top: 5px;
+}
+
+#navBar ul a:link, #navBar ul a:visited {}
+
+#navBar ul {
+	list-style: none; 
+	margin: 0; 
+	padding: 0;
+}
+
+/* hack to fix IE/Win's broken rendering of block-level anchors in lists */
+#navBar li {}
+
+/* fix for browsers that don't need the hack */
+html>body #navBar li {}
+
+#top{
+	height:136px;
+	background-image: url(../images/header/header.jpg);
+	width: 800px;
+}
+
+#top_challenge{
+	height:136px;
+	width: 800px;
+}
+
+#topLinks{
+	position: relative;
+	margin: 0px;
+	padding: 0px;
+	font-size: small;
+}
+
+#topLinks h3{
+	padding: 10px 0px 2px 10px;
+}
+
+#topLinks a:link{
+	padding: 2px 0px 2px 10px;
+	width: 100%;voice-family: "\"}\""; 
+	voice-family:inherit;
+	width: auto;
+}
+
+#topLinks a:visited{
+	border-top: 1px solid #cccccc;
+	padding: 2px 0px 2px 10px;
+}
+
+#topLinks a:hover{
+	background-color: #FFFFFF;
+	padding: 5px 2px 2px 10px;
+}
+
+#menuSpacer {
+	float: left;
+	width: 225px;
+}
+
+#lessonArea {
+	float: right;
+	width: 540px;
+	height: 100%;
+	padding: 10px;
+}
+#lessonAreaTop {
+	float: right;
+	width: 540px;
+	height: 15px;
+	padding: 10px;
+}
+
+#wrap {
+	width: 800px;
+	word-wrap:break-word; /* Fixes IE wrapping issue */
+}
+
+#topRight {
+	position:absolute;
+	left:380px;
+	top:0px;
+	width:400px;
+	height:23px;
+	z-index:3;
+	float: right;
+}
+
+#topLeft {
+	position:absolute;
+	left:100px;
+	top:0px;
+	width:400px;
+	height:23px;
+	z-index:3;
+	float: right;
+}
+#topRightInner {
+	position:absolute;
+	left:450px;
+	top:10px;
+	width:300px;
+	height:23px;
+	z-index:4;
+	float: right;
+}
+
+.info {
+	color: red; 
+	font-weight: bold;
+}
+
+#reset {
+	text-align: right;
+	font-weight: bold;
+	float: right;
+	display: inline;
+	margin-bottom: 10px;
+}
+
+#training {
+	text-align: left;
+	font-weight: bold;
+	display: inline;
+	float: left;
+	margin-bottom: 10px;
+	
+}
+
+#training_wrap {
+	width: 540px;
+}
+
+#hint{}
+#parameter{}
+#cookie{}
+#message{
+	margin-bottom: 20px;
+	margin-top: 10px;
+}
+
+#lessonPlans {
+	border: 1px solid #000000;
+	background-color: #FFFFFF;
+	margin: 15px;
+	padding: 25px;
+	padding-bottom: 75px;
+}
+
+#credits {
+	float: right;
+}
+
+#start {
+	height: 370px;
+	width: 700px;
+	padding: 10px 50px 10px 50px;
+	font-size: 15px;
+}
+#warning {
+	border: 1px solid #666666;
+	padding: 10px;
+	font-size: 10px;
+	color: #FF3300;
+	width: 600px;
+	margin-left: 100px;
+	margin-right: 100px;
+}
+#team {
+	width: 580px;
+	margin-right: 50px;
+	margin-left: 50px;
+	padding-top: 5px;
+	padding-right: 10px;
+	padding-bottom: 5px;
+	padding-left: 10px;
+}
+.style1 {
+	font-size: 11px;
+	font-weight: bold;
+}
+.style2 {
+	font-size: 10px;
+}

webapp/css/webgoat_challenge.css

@@ -0,0 +1,45 @@
+#bottom_ch{
+	color: #999999;
+	clear: both;
+	font-size: 10px;
+	padding-top: 5px;
+}
+
+#top_ch{
+	width: 500px;
+	height:136px;
+	background-image: url(../images/header/header.jpg);
+}
+
+#wrap_ch {
+	width: 500px;
+}
+
+#credits_ch {
+	float: right;
+}
+
+#start_ch {
+	height: 380px;
+	width: 500px;
+	padding: 10px 10px 10px 10px;
+	font-size: 15px;
+}
+#warning_ch {
+	border: 1px solid #666666;
+	padding: 10px;
+	font-size: 10px;
+	color: #FF3300;
+	width: 450px;
+	margin-left: 5px;
+	margin-right: 5px;
+}
+#team_ch {
+}
+.style1_ch {
+	font-size: 11px;
+	font-weight: bold;
+}
+.style2_ch {
+	font-size: 10px;
+}

webapp/database/database.prp

@@ -0,0 +1,365 @@
+!---------------------------------------------------------------------
+!
+! BASIC PROPERTIES
+!
+!---------------------------------------------------------------------
+
+!
+! Path where index tables are held. Can be absolute or relative 
+! to the properties file. Defaults to tablePath.
+!
+indexPath=./indexes
+!
+! Path where system tables are held. Can be absolute or relative to 
+! the properties file. Defaults to tablePath.
+!
+systemPath=./system
+!
+! Path where database tables are held. Can be absolute or relative 
+! to the properties file. Defaults to "current" directory.
+!
+tablePath=./tables
+!
+! Path where results set tables are held. Can be absolute or relative 
+! to the properties file. Defaults to tablePath.
+!
+tmpPath=./tmp
+!
+! Non-zero means paths are relative to the properties file. 
+! Default is absolute paths for files.
+!
+relativeToProperties=1
+!
+! Alternative partitions can be defined so that tables can be placed
+! in multiple locations. Each partition is numbered: 1, 2, 3,... Tables
+! can be created on partitions using the syntax 
+!
+!   CREATE TABLE <name> ON PARTITION <number>...
+!
+! The partition count has to be supplied.
+!
+!partitionCount=2
+!
+! The locations of each partition must be supplied. These are always
+! absolute path names.
+!
+!partition1=d:/petes
+!partition2=c:/temp
+
+
+!---------------------------------------------------------------------
+!
+! TUNING PROPERTIES
+!
+!---------------------------------------------------------------------
+
+!
+! The amount of each column to cache, expressed either as an absolute 
+! number of rows or as a percentage figure. Defaults to 256 or 10 respectively.
+!
+! This value applies only when tables are first created. It has no effect
+! when a table is being re-opened.
+!
+cacheAmount=512
+!
+! CACHE_ROWS Must be one of CACHE_ROWS or CACHE_PERCENT. Determines whether 
+! to cache columns in tables based on an absolute number of rows, or the 
+! percentage number of rows in the table. 
+!
+! This value applies only when tables are first created. It has no effect
+! when a table is being re-opened.
+!
+cacheCondition=CACHE_ROWS
+!
+! The amount of the system tables to be cached. Defaults to 100.
+!
+! This value applies only when tables are first created. It has no effect
+! when a table is being re-opened.
+!
+!systemCacheSize=10
+!
+! Similar to cacheCondition, but applies only to the system tables.
+!
+! This value applies only when tables are first created. It has no effect
+! when a table is being re-opened.
+!
+!systemCacheCondition=CACHE_ROWS
+!
+! The percentage cache hit improvement required in order to move the 
+! cache to a new location in a column. 
+!
+! (Currently not implemented).
+!
+cacheResetPercent=10
+!
+! Non-zero means that database changes do not get written to the 
+! database immediately. See tuning.html. 
+!
+fastUpdate=0
+!
+! Percentage of free space in an index that must be present before 
+! the index reorganises itself. High values means frequent index
+! reorganisation. Low values means slow index inserts.
+!
+indexLoad=5
+!
+! The number of cache misses to include in calculations of the next 
+! base for the cache. 
+!
+! (Currently not implemented).
+!
+missesInCacheStats=100
+!
+! Non-zero means that results sets get instantiated on disk. By default
+! InstantDB holds results sets emtirely in memory (apart from Binary
+! columns). For large results sets this can be a problem. This property
+! forces all results sets to be held on disk.
+!
+resultsOnDisk=0
+!
+! Similar to cacheCondition but applies only to disk based
+! results sets. Default is CACHE_ROWS.
+!
+resultsSetCache=CACHE_ROWS
+!
+! Similar to cacheAmount but applies only to disk based
+! results sets. Default is 100.
+!
+resultsSetCacheAmount=100
+!
+! Number of rows to read into the disk read ahead buffer. 
+! Recommended to be set somewhere around 128 to 256. 
+! Default is 20.
+!
+rowCacheSize=128
+!
+! The read ahead buffer is effective at speeding up full
+! table scans. However for indexed lookups or multiple
+! simultaneous scans it is better to read a single row at
+! a time. Each table holds a small number of single row
+! buffers to improve such operations. Default is 8.
+!
+!singleRowCount=4
+!
+! Sometimes the look ahead buffer can be held by a single
+! thread even though it is not retrieveing many values from it.
+! If too many lookups retrieve data from the single row
+! buffers then it is better to flush the look ahead buffer and
+! make it available for re-use. Default is 128.
+!
+!flushAfterCacheMisses=64
+!
+! Number of rows to read ahead for system tables. By default
+! system tables cache everything, so it is wasteful to have large
+! read ahead buffers since they will very rarely be used. This
+! allows the size of the system read ahead buffers to be reduced
+! if necessary. Defaults to rowCacheSize.
+!
+!systemRows=20
+!
+! The control column in all tables normally has a large cache
+! since this speeds up all operation on that table. This can be
+! varied to either improve performance or to reduce space.
+! default is 8192.
+!
+! This value applies only when tables are first created. It has no effect
+! when a table is being re-opened.
+!
+!controlColCacheSize=512
+!
+! By default, InstantDB only does a cursory search for deleted rows during 
+! UPDATE statements. Setting searchDeletes=1 causes more detailed searches 
+! for deleted rows. This slows down UPDATE executions, but reults in more 
+! compact tables.  Default is 0.
+!
+searchDeletes=0
+!
+! The interval, in milliseconds, between checks for statement execution
+! timeouts. Default is 5000.
+!
+!timerCheck=5000
+!
+! The number of statements between checks on available memory. If set
+! to 100 (say), then every 100 statements, InstantDB will check to
+! see how much memory is still free. If too little is avilable (see
+! below) then java.lang.System.gc() is called.
+!
+! If set to zero (the default) then no memory checking takes place.
+!
+!garbageCollectStatements=100
+!
+! If InstantDB is performing period memory checks (see above) then
+! this is the value in percent of available memory that must be
+! used before System.gc() gets called.
+!
+!garbageCollectPercent=70
+
+!---------------------------------------------------------------------
+!
+! LOGGING AND DEBUGGING PROPERTIES
+!
+!---------------------------------------------------------------------
+
+!
+! Non-zero means include SQL statements in the export file. 
+!
+exportSQL=0
+!
+! Non-zero means trace output also directed to console. 
+! Defaults to 0.
+!
+traceConsole=1
+!
+! Relative or absolute path where exporting and tracing goes.
+!
+! NOTE - A relative path is relative to the current Java
+! runtime directory. It is *not* relative to this properties
+! file. This is regardless of the relativeToProperties
+! setting above.
+!
+traceFile=./trace.log
+!
+! Bitmap of various items that can be traced. See debug.html. 
+! Defaults to 0.
+!
+traceLevel=2
+
+!---------------------------------------------------------------------
+!
+! TRANSACTION AND RECOVERY PROPERTIES
+!
+!---------------------------------------------------------------------
+
+!
+! 0 means do not perform recovery on startup.
+! 1 means perform automatic recovery
+! 2 (default) means prompt the user using standard in 
+!
+recoveryPolicy=1
+!
+! Sets the level of transaction journalling. See trans.html.
+! Defaults to 1.
+!
+! 0 - No journalling takes place.
+! 1 - Normal journalling (default).
+! 2 - Full journalling.
+!
+transLevel=1
+!
+! When doing an import, defines the number of rows imported 
+! before the transaction is committed. Recommended value 8192.
+! defaults to 100.
+!
+transImports=100
+!
+! Sets the default transaction isolation level. This is a complex
+! topic, but basically, the higher the level, the more locking
+! goes on. The allowed values are:
+!
+!   TRANSACTION_READ_UNCOMMITTED = 1
+!   TRANSACTION_READ_COMMITTED   = 2
+!   TRANSACTION_REPEATABLE_READ  = 4
+!   TRANSACTION_SERIALIZABLE     = 8 (default)
+!
+! SERIALIZABLE means that InstantDB takes exclusive access to all
+! tables in a transaction until the transaction completes. Even if
+! the transaction only performs reads.
+!
+! REPEATABLE_READ transactions takes read locks for SELECTs and
+! write locks for everything else. All locks released on transaction
+! completion.
+!
+! READ_COMMITTED transactions are the same as REPEATABLE_READ 
+! except that read locks get freed on statement completion.
+!
+! READ_UNCOMMITTED transactions do not take read locks. A result
+! set can include data being modified by another transaction.
+!
+!defaultIsolationLevel=2
+
+!---------------------------------------------------------------------
+!
+! DATE, TIME AND CURRENCY PROPERTIES
+!
+!---------------------------------------------------------------------
+
+!
+! Number of digits after decimal point in currency outputs. Defaults to 2.
+!
+currencyDecimal=2
+!
+! Currency symbol used in currency outputs. Defaults to $.
+!
+currencySymbol=$
+!
+! Default format for date columns. Defaults to "yyyy-mm-dd".
+!
+!dateFormat=yyyy-mm-dd
+!
+! Default format for timestamp columns. Defaults to "yyyy-mm-dd hh:nn:ss.lll".
+!
+!dateTimeFormat=yyyy-mm-dd hh:nn:ss.lll
+!
+! Default format for time columns. Defaults to "hh:nn:ss.lll".
+!
+!timeFormat=hh:nn:ss.lll
+!
+! If set, then all two digit dates less than its value are interpreted 
+! as 21st century dates. 
+!
+!milleniumBoundary=50
+!
+! Set to 1 causes the date string "now" to store a full timestamp. 
+! Default is to store only the date for fields with now hour in the 
+! format string.
+!
+nowMeansTime=0
+
+!---------------------------------------------------------------------
+!
+! STRING HANDLING PROPERTIES
+!
+!---------------------------------------------------------------------
+
+!
+! If set to 1 then String hashes use the JDK Object.hashCode() function.
+! By default, uses InstantDB's String hashing.
+!
+altStringHashing=0
+!
+! Set to 1 to cause LIKE clauses to always perform case insensitive 
+! comparisons. 
+!
+likeIgnoreCase=0
+!
+! Same as SET LITERAL STRICT_ON. Prevents string literals being interpreted
+! as column names or numbers. Default is 0.
+!
+strictLiterals=0
+!
+! Set this value to 1 (one) if you would like PreparedStatement.setString()
+! to ignore "\" (backslash) characters when proceesing string constants.
+! When set, InstantDB will not attempt to interpret \ as the start of an
+! escape sequence. Default is 0.
+!
+!prepareIgnoresEscapes=1
+
+!---------------------------------------------------------------------
+!
+! MISCELLANEOUS PROPERTIES
+!
+!---------------------------------------------------------------------
+
+!
+! Allows selected InstantDB keywords to be un-reserved. 
+! e.g. ignoreKeywords=url,quote would allow the keywords 
+! url and quote to be used as table or column names. 
+!
+! This faciliy is provided for compatatbility reasons only.
+! It's use is not recommended AND IS NOT SUPPORTED.
+!
+!ignoreKeywords
+!
+! Non-zero means database is opened in read only mode.
+!
+readOnly=0

webapp/javascript/DOMXSS.js

@@ -0,0 +1,5 @@
+function displayGreeting(name) {
+	if (name != ''){
+		document.getElementById("greeting").innerHTML="Hello, " + name+ "!";
+	}
+}

webapp/javascript/DOMXSS_backup.js

@@ -0,0 +1,5 @@
+function displayGreeting(name) {
+	if (name != ''){
+		document.getElementById("greeting").innerHTML="Hello, " + name+ "!";
+	}
+}

webapp/javascript/clientSideFiltering.js

@@ -0,0 +1,105 @@
+var dataFetched = false;
+
+function selectUser(){
+
+		var newEmployeeID = document.getElementById("UserSelect").options[document.getElementById("UserSelect").selectedIndex].value;
+
+	    if (navigator.userAgent.indexOf("MSIE ") == -1)
+    {
+			document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
+    }
+    else
+    {
+    		//IE is a buggy ....
+
+		var TR = document.createElement("tr");
+    	var TD0 = document.createElement("td");
+    	var TD1 = document.createElement("td");
+    	var TD2 = document.createElement("td");
+    	var TD3 = document.createElement("td");
+    	var TD4 = document.createElement("td");
+    	
+    	var text0 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[0].firstChild.nodeValue);
+    	var text1 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[1].firstChild.nodeValue);
+    	var text2 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[2].firstChild.nodeValue);
+    	var text3 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[3].firstChild.nodeValue);
+    	var text4 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[4].firstChild.nodeValue);
+
+    	TD0.appendChild(text0);
+    	TD1.appendChild(text1);
+    	TD2.appendChild(text2);
+    	TD3.appendChild(text3);
+    	TD4.appendChild(text4);
+    	
+    	TR.appendChild(TD0);
+    	TR.appendChild(TD1);
+    	TR.appendChild(TD2);
+    	TR.appendChild(TD3);
+    	TR.appendChild(TD4);
+    	
+    	document.getElementById("employeeRecord").appendChild(TR);    	
+    }   
+    
+}
+
+
+function fetchUserData(){
+	if(!dataFetched){
+		dataFetched = true;		
+		ajaxFunction(document.getElementById("userID").value);
+	}
+}
+
+
+
+
+
+function ajaxFunction(userId)
+  {
+         
+	var xmlHttp;
+  try
+    {
+
+    // Firefox, Opera 8.0+, Safari
+    xmlHttp=new XMLHttpRequest();
+
+    }
+  catch (e)
+    {
+ 
+    // Internet Explorer
+    try
+      {
+      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
+      }
+    catch (e)
+      {
+      try
+        {
+       
+        xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+      catch (e)
+        {
+        alert("Your browser does not support AJAX!");
+        return false;
+        }
+      }
+    }
+    xmlHttp.onreadystatechange=function()
+      {      
+      var result = xmlHttp.responseText;
+
+      if(xmlHttp.readyState==4)
+        {
+        	//We need to do this because IE is buggy
+        	var newdiv = document.createElement("div");
+        	newdiv.innerHTML = result;
+        	var container = document.getElementById("hiddenEmployeeRecords");
+        	container.appendChild(newdiv);     
+        }
+      }
+    xmlHttp.open("GET","lessons/Ajax/clientSideFiltering.jsp?userId=" + userId,true);
+    xmlHttp.send(null);
+  }

webapp/javascript/clientSideValidation.js

@@ -0,0 +1,145 @@
+var coupons = ["nvojubmq",
+"emph",
+"sfwmjt",
+"faopsc",
+"fopttfsq",
+"pxuttfsq"];
+
+
+function isValidCoupon(coupon) {
+	coupon = coupon.toUpperCase();
+	for(var i=0; i<coupons.length; i++) {
+		decrypted = decrypt(coupons[i]);
+		if(coupon == decrypted){
+			ajaxFunction(coupon);
+			return true;
+		}
+	}
+	return false;	
+}
+
+
+
+
+function decrypt(code){
+
+	code = code.toUpperCase();
+
+	alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	
+	caesar = '';
+
+	for (i = code.length ;i >= 0;i--){	
+	
+		for (j = 0;j<alpha.length;j++){		
+			
+			if(code.charAt(i) == alpha.charAt(j)){
+			
+				caesar = caesar + alpha.charAt((j+(alpha.length-1))%alpha.length);
+			}		
+		}
+	}	
+	return caesar;
+}
+
+function ajaxFunction(coupon)
+  {
+  
+  var xmlHttp;
+  try
+    {
+    // Firefox, Opera 8.0+, Safari
+    xmlHttp=new XMLHttpRequest();
+    }
+  catch (e)
+    {
+    // Internet Explorer
+    try
+      {
+      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
+      }
+    catch (e)
+      {
+      try
+        {
+        xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+      catch (e)
+        {
+        alert("Your browser does not support AJAX!");
+        return false;
+        }
+      }
+    }
+    xmlHttp.onreadystatechange=function()
+      {
+      if(xmlHttp.readyState==4)
+        {
+        document.form.GRANDTOT.value = calcTot(document.form.SUBTOT.value , xmlHttp.responseText);
+        }
+      }
+    xmlHttp.open("GET","lessons/Ajax/clientSideValidation.jsp?coupon=" + coupon,true);
+    xmlHttp.send(null);
+  }
+  
+  
+  function updateTotals(){
+
+	f = document.form;
+	
+	f.TOT1.value = calcTot(f.PRC1.value , f.QTY1.value);
+	f.TOT2.value = calcTot(f.PRC2.value , f.QTY2.value);
+	f.TOT3.value = calcTot(f.PRC3.value , f.QTY3.value);
+	f.TOT4.value = calcTot(f.PRC4.value , f.QTY4.value);	
+	
+	f.SUBTOT.value = formatCurrency(unFormat(f.TOT1.value) 
+							+ unFormat(f.TOT2.value) 
+							+ unFormat(f.TOT3.value) 
+							+ unFormat(f.TOT4.value));
+	
+	f.GRANDTOT.value = f.SUBTOT.value;	
+	
+	isValidCoupon(f.field1.value);
+	
+	
+}
+
+function unFormat(price){
+	
+	price = parseFloat(unFormatCurrency(price));
+
+	if(isNaN(price))
+		price = 0;
+	
+	return price;
+
+}
+
+function calcTot( price,  qty){
+	
+	price = unFormatCurrency(price);
+	
+	return formatCurrency(price*qty);
+}
+
+
+function unFormatCurrency(price){
+	price = price.toString().replace(/\$|\,/g,'');
+	return price;
+}
+
+function formatCurrency(num) {
+	num = num.toString().replace(/\$|\,/g,'');
+	if(isNaN(num))
+		num = "0";
+	sign = (num == (num = Math.abs(num)));
+	num = Math.floor(num*100+0.50000000001);
+	cents = num%100;
+	num = Math.floor(num/100).toString();
+	if(cents<10)
+		cents = "0" + cents;
+	for (var i = 0; i < Math.floor((num.length-(1+i))/3); i++)
+		num = num.substring(0,num.length-(4*i+3))+','+
+	num.substring(num.length-(4*i+3));
+	return (((sign)?'':'-') + '$' + num + '.' + cents);
+}

webapp/javascript/escape.js

@@ -0,0 +1,6 @@
+function escapeHTML (str) {
+   var div = document.createElement('div');
+   var text = document.createTextNode(str);
+   div.appendChild(text);
+   return div.innerHTML;
+}

webapp/javascript/eval.js

@@ -0,0 +1,62 @@
+var http_request = false;
+
+function makeXHR(method, url, parameters) {
+	  //alert('url: ' + url + ' parameters: ' + parameters);
+      http_request = false;
+      if (window.XMLHttpRequest) { // Mozilla, Safari,...
+         http_request = new XMLHttpRequest();
+         if (http_request.overrideMimeType) {
+            http_request.overrideMimeType('text/html');
+         }
+      } else if (window.ActiveXObject) { // IE
+         try {
+            http_request = new ActiveXObject("Msxml2.XMLHTTP");
+         } catch (e) {
+            try {
+               http_request = new ActiveXObject("Microsoft.XMLHTTP");
+            } catch (e) {}
+         }
+      }
+      if (!http_request) {
+         alert('Cannot create XMLHTTP instance');
+         return false;
+      }
+      
+      // http_request.onreadystatechange = alertContents;
+      http_request.open(method, url, true);
+      http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+      http_request.setRequestHeader("Content-length", parameters.length);
+      http_request.setRequestHeader("Connection", "close");
+      
+      http_request.onreadystatechange = function() {
+      		if(http_request.readyState == 4) {
+      			var status = http_request.status;
+      			var responseText = http_request.responseText;
+      			
+      			//alert('status: ' + status);
+      			//alert('responseText: ' + responseText);
+      			
+      			eval(http_request.responseText);      			
+		
+      			if(responseText.indexOf("');") != -1 
+	      			&& responseText.indexOf("alert") != -1 
+	      			&& responseText.indexOf("document.cookie") != -1){
+	      			
+	      			document.form.submit();
+      			}
+      			
+      		}
+      };
+      
+      http_request.send(parameters);
+}
+
+function purchase(url) {
+	var field1 = document.form.field1.value;
+	var field2 = document.form.field2.value;
+	
+	//alert('field1: ' + field1 + ' field2: ' + field2);
+	
+	var parameters = 'field1=' + field1 + '&field2=' + field2;
+	makeXHR('POST', url, parameters);
+}

webapp/javascript/instructor/DOMXSS_i.js

@@ -0,0 +1,13 @@
+function displayGreeting(name) {
+	if (name != ''){
+		document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name) + "!";
+	}
+}
+
+function escapeHTML (str) {
+   var div = document.createElement('div');
+   var text = document.createTextNode(str);
+   div.appendChild(text);
+   return div.innerHTML;
+}
+	

webapp/javascript/javascript.js

@@ -0,0 +1,6 @@
+function MM_reloadPage(init) {  //reloads the window if Nav4 resized
+  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
+    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
+  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
+}
+MM_reloadPage(true);

webapp/javascript/lessonNav.js

@@ -0,0 +1,59 @@
+// Logout and Help Swap Image 
+
+function MM_reloadPage(init) {  //reloads the window if Nav4 resized
+  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
+    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
+  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
+}
+MM_reloadPage(true);
+
+function MM_swapImgRestore() { //v3.0
+  var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
+}
+
+function MM_swapImage() { //v3.0
+  var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
+   if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
+}
+
+// Lesson Nav bar image swapping
+
+function MM_preloadImages() { //v3.0
+  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
+    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
+    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
+}
+
+function MM_nbGroup(event, grpName) { //v6.0
+  var i,img,nbArr,args=MM_nbGroup.arguments;
+  if (event == "init" && args.length > 2) {
+    if ((img = MM_findObj(args[2])) != null && !img.MM_init) {
+      img.MM_init = true; img.MM_up = args[3]; img.MM_dn = img.src;
+      if ((nbArr = document[grpName]) == null) nbArr = document[grpName] = new Array();
+      nbArr[nbArr.length] = img;
+      for (i=4; i < args.length-1; i+=2) if ((img = MM_findObj(args[i])) != null) {
+        if (!img.MM_up) img.MM_up = img.src;
+        img.src = img.MM_dn = args[i+1];
+        nbArr[nbArr.length] = img;
+    } }
+  } else if (event == "over") {
+    document.MM_nbOver = nbArr = new Array();
+    for (i=1; i < args.length-1; i+=3) if ((img = MM_findObj(args[i])) != null) {
+      if (!img.MM_up) img.MM_up = img.src;
+      img.src = (img.MM_dn && args[i+2]) ? args[i+2] : ((args[i+1])? args[i+1] : img.MM_up);
+      nbArr[nbArr.length] = img;
+    }
+  } else if (event == "out" ) {
+    for (i=0; i < document.MM_nbOver.length; i++) {
+      img = document.MM_nbOver[i]; img.src = (img.MM_dn) ? img.MM_dn : img.MM_up; }
+  } else if (event == "down") {
+    nbArr = document[grpName];
+    if (nbArr)
+      for (i=0; i < nbArr.length; i++) { img=nbArr[i]; img.src = img.MM_up; img.MM_dn = 0; }
+    document[grpName] = nbArr = new Array();
+    for (i=2; i < args.length-1; i+=2) if ((img = MM_findObj(args[i])) != null) {
+      if (!img.MM_up) img.MM_up = img.src;
+      img.src = img.MM_dn = (args[i+1])? args[i+1] : img.MM_up;
+      nbArr[nbArr.length] = img;
+  } }
+}

webapp/javascript/makeWindow.js

@@ -0,0 +1,7 @@
+
+function makeWindow(url, windowName) 
+{
+	day = new Date();
+	id = day.getTime();
+	eval("page" + id + " = window.open(url, '" + id + "', 'toolbar=0,location=0,scrollbars=1,statusbar=0,menubar=0,resizable=1,width=600,height=500');");
+}

webapp/javascript/menu_system.js

@@ -0,0 +1,147 @@
+function changeLanguage(){
+	var select=MM_findObj("language",null);
+	
+	document.location="attack?language="+select.value;
+}	
+
+
+function MM_findObj(n, d) {
+  var p,i,x;  if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
+    d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
+  if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
+  for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
+  if(!x && d.getElementById) x=d.getElementById(n); return x;
+}
+
+function getHW(t,a) {
+  var r,p,h=0,w=0;if((p=MM_findObj(a)) !=null){
+  if(document.all || document.getElementById){h=parseInt(p.offsetHeight);w=parseInt(p.offsetWidth);
+  if(!h){h=parseInt(p.style.pixelHeight);w=parseInt(p.style.pixelWidth);}
+  }else if(document.layers){h=parseInt(p.clip.height);w=parseInt(p.clip.width);}}
+  if(t=="width"){r=w;}else{r=h;}return r; 
+}
+
+function MM1dwt() {
+  var g,lh,sw,fr = false;
+  if(!document.mc)return;
+  for(var x=0;x<m1.length;x++){tl=m1[x].id;lh="P7CM1DWT0"+tl;
+	if((g=MM_findObj(lh)) !=null){fr=true;sw=0;break;}
+	lh="P7CM1DWT1"+tl;if((g=MM_findObj(lh)) !=null){fr=true;sw=1;break;}}
+  if(fr){eval("trigMenuMagic1('"+tl+"',"+sw+")");}
+}
+
+function setMenuMagic1() {
+  var s,d,g,g2,gg,ww,kx,th,tu,ts,nu,xx,k=0,pa=0;args=setMenuMagic1.arguments;
+  if((parseInt(navigator.appVersion)>4 || navigator.userAgent.indexOf("MSIE")>-1)&& navigator.userAgent.indexOf("Opera")==-1){pa="px";}
+  if(navigator.userAgent.indexOf("Opera")>-1){P7OperaW=window.innerWidth;P7OperaH=window.innerHeight;}
+  if(!document.mc) { m3=new Array();
+   m=new Array();document.mc=true;ms=new Array();document.imswap=new Array();document.imswapo=new Array();
+   m1=new Array();m2=new Array();mprop=new Object();mprop.offset=args[0];mprop.rate=args[1];
+   mprop.delay=args[2];mprop.bottom=args[3];
+   if(document.layers){mprop.pageh = document.height;}}
+  for(var x=4;x<args.length;x+=3){if((g=MM_findObj(args[x])) !=null){
+    m[k]=args[x];g.imname=args[x+2];g.sub=args[x+1];m3[k]=0;
+    g2=MM_findObj(args[x+2]);tu=g2.src;ts=tu.lastIndexOf(".");
+    nu=tu.substring(0,ts)+"_open"+tu.substring(ts,tu.length);
+	nu2=tu.substring(0,ts)+"_over"+tu.substring(ts,tu.length);
+    document.imswap[k]=new Image();document.imswap[k].src=tu;
+	document.imswapo[k]=new Image();document.imswapo[k].src=tu;k++;}}
+  var lf=0;for (var j=0;j<m.length;j++){
+   if((g=MM_findObj(m[j])) !=null){d=(document.layers)?g:g.style;m1[j]=g;g.waiting=false;
+    if(j==0){lf=parseInt(d.left);th=parseInt(d.top);}
+    if(j>0){d.left=(lf+pa);th+=getHW('height',m[j-1]);d.top=(th+pa);}
+    if((s=MM_findObj(g.sub)) !=null){m2[j]=s;ww=getHW('width',g.sub);
+     kx=lf-ww-30;dd=(document.layers)?s:s.style;
+     dd.left=(kx+pa);dd.top=(th+pa);ms[j]=th;dd.visibility="visible";s.open=false;s.waiting=false;}}}
+  if((g=MM_findObj(mprop.bottom)) !=null){d=(document.layers)?g:g.style;
+   d.left=(lf+parseInt(args[0])+pa);th+=getHW('height',m[m.length-1]);d.top=(th+pa);}
+}
+
+function BM1(el,x,y,a,b,c,s) {
+ var g,elo=el,f="",m=false,d="";x=parseInt(x);y=parseInt(y);
+ var t = 'g.BM = setTimeout("BM1(\''+elo+'\','; 
+ if ((g=MM_findObj(el))!=null) {d=(document.layers)?g:g.style;}else{return;}
+ var xx=(parseInt(d.left))?parseInt(d.left):0;
+ var yy=(parseInt(d.top))?parseInt(d.top):0;
+ var i=parseInt(a);
+  if (eval(g.moved)){clearTimeout(g.BM);}
+  if (xx<x){xx+=i;m=true;if(xx>x){xx=x;}}
+  if (xx>x){xx-=i;m=true;if(xx<x){xx=x;}}
+  if (yy<y){yy+=i;m=true;if(yy>y){yy=y;}}
+  if (yy>y){yy-=i;m=true;if(yy<y){yy=y;}}
+ if (m) {
+  if((parseInt(navigator.appVersion)>4 || navigator.userAgent.indexOf("MSIE")>-1)&& navigator.userAgent.indexOf("Opera")==-1){   
+   xx+="px";yy+="px";}d.left=xx;d.top=yy;g.moved=true;eval(t+x+','+y+','+a+','+b+','+c+',0)",'+b+')');
+  }else {g.moved=false;wait(elo);}
+}
+
+function wait(a) {
+  var ma,mb;if((mb=MM_findObj(a)) !=null){
+   if(!mb.waiting || mb.waiting=="none"){return;}
+    ma=mb.waiting;mb.waiting=false;eval(ma);}
+}
+
+function trigMenuMagic1(a,sw) {
+  var x,g,gg,d,dd,w,lp,tp,im,im2,ts,nu,e,pa=0;if(!document.mc)return;
+  if((parseInt(navigator.appVersion)>4 || navigator.userAgent.indexOf("MSIE")>-1)&& navigator.userAgent.indexOf("Opera")==-1){pa="px";}
+  if(navigator.userAgent.indexOf("Opera")>-1){if( P7OperaW!=window.innerWidth || P7OperaH!=window.innerHeight)setMenuMagic1();}
+  var ofs=parseInt(mprop.offset),trt = parseInt(mprop.rate);
+  var tdy=parseInt(mprop.delay),tsb,tlf,tst;for(x=0;x<m.length;x++){
+  if(m[x]==a){d=m1[x];dd=(document.layers)?d:d.style;g=m2[x];gg=(document.layers)?g:g.style;
+   e=MM_findObj(d.imname);im=e.src;ts=im.replace("_open","");ts=ts.replace("_over","");
+   if(!g.open){tst="closed";im2=ts.lastIndexOf(".");
+   nu=ts.substring(0,im2)+"_open"+ts.substring(im2,ts.length);ts = nu;}else{tst="open"}break;}}
+   if(document.mm1Q){trt=20000;document.mm1Q=false;}
+  for(j=0;j<m.length;j++){
+   d=m1[j];dd=(document.layers)?d:d.style;g=m2[j];gg=(document.layers)?g:g.style;
+   if(j==0){tlf=parseInt(dd.left);}if(g.open){
+   w=getHW('width',d.sub)+30;w-=parseInt(dd.left);w*=-1;d.waiting=false;
+   eval("BM1('"+d.sub+"',"+w+","+parseInt(gg.top)+","+20000+","+tdy+",0,0)");}
+   d.waiting=false;g.open=false;
+   if(parseInt(sw)==1){e=MM_findObj(d.imname);im=e.src;im2=im.replace("_open","");e.src=im2;}}
+  var tnt=new Array();var df=0,tcd=0,tdl=m[0];for(j=0;j<m.length;j++){
+  d=m1[j];dd=(document.layers)?d:d.style;g=m2[j];gg=(document.layers)?g:g.style;
+  if(j==0){th=parseInt(dd.top);}tnt[j]=th;df=Math.abs(parseInt(dd.top)-th);
+  if(df>tcd){tdl=m[j];tcd=df;}th+=getHW('height',m[j]);
+  if(x==j && tst=="closed"){tsb=th;if(m3[j]!=1){th+=getHW('height',d.sub);}}ms[j]=th;}
+  if(tst=="closed"){d=m1[x];dd=(document.layers)?d:d.style;
+   g=m2[x];gg=(document.layers)?g:g.style;lp=tlf+ofs;
+   gg.top=(tsb+pa);ms[x]=tsb;e=MM_findObj(d.imname);if(parseInt(sw)==1){e.src=ts;}
+   g.open=true;if(m3[x]!=1){gg.visibility="visible";var r;r=MM_findObj(tdl);		
+   r.waiting="BM1('"+d.sub+"',"+lp+","+tsb+","+20000+","+tdy+",0,0)" ;}
+   }else{d=m1[m1.length-1];d.waiting="none";}
+  for(j=0;j<m.length;j++ ){eval("BM1('"+m[j]+"',"+tlf+","+tnt[j]+","+trt+","+tdy+",0,0)");}
+  if((g=MM_findObj(mprop.bottom)) !=null){d=(document.layers)?g:g.style;g.waiting=false;
+   eval("BM1('"+mprop.bottom+"',"+(tlf+ofs)+","+th+","+trt+","+tdy+",0,0)");
+   th+=(document.layers)?getHW('height',mprop.bottom):0;}
+  if(document.layers){var tw2=document.width;
+    if(document.height<th) {document.height=th;document.width=tw2;}}
+}
+
+function rollCMenu1(ev,a,b) {
+ var e,im,ts,j,nu,g,x,tev=ev.type;
+ if(!document.mc)return;
+ if(tev=="mouseover"){for(x=0;x<m.length;x++){
+ if(m[x]==a){g=m2[x];if(parseInt(b)==0 && g.open) {break;return;}
+ e=MM_findObj(m1[x].imname);im=e.src;ts=im.replace("_open","");
+ ts=ts.replace("_over","");j=ts.lastIndexOf(".");
+ e.src=ts.substring(0,j)+"_over"+ts.substring(j,ts.length);break;}}
+ }else if(tev=="mouseout"){for(x=0;x<m.length;x++){
+ if(m[x]==a){e=MM_findObj(d=m1[x].imname);im=e.src;
+ g=m2[x];ts=im.replace("_open","");ts=ts.replace("_over","");
+ if(g.open){j=ts.lastIndexOf(".");
+ nu=ts.substring(0,j)+"_open"+ts.substring(j,ts.length);
+ }else{nu=ts;}e.src=nu;break;}}}
+}
+
+function trigMM1url(param,opt){
+  var ur,x,i,nv,mn,pr=new Array();
+  ur=document.URL;x=ur.indexOf("?");
+  if(x>1){pr=ur.substring(x+1,ur.length).split("&");
+  for(i=0;i<pr.length;i++){nv=pr[i].split("=");
+  if(nv.length>0){if(unescape(nv[0])==param){
+  mn="menu"+unescape(nv[1]);
+  eval("trigMenuMagic1('"+mn+"',"+opt+")");}}}}
+  }
+  
+  document.mm1Q=true;

webapp/javascript/sameOrigin.js

@@ -0,0 +1,101 @@
+
+
+
+function submitXHR(){
+
+	document.getElementById("responseTitle").innerHTML="Response: ";
+   	
+   	document.getElementById("responseArea").innerHTML=""; 
+
+	alert("creating XHR request for: " + document.getElementById("requestedURL").value);
+	
+
+	
+	try{
+		ajaxFunction();
+	}
+	catch(err){
+		alert(err);
+		document.getElementById("requestedURL").value=""; 
+	}
+}
+
+
+
+function ajaxFunction()
+  {
+	var xmlHttp;
+  try
+    {
+    // Firefox, Opera 8.0+, Safari
+    xmlHttp=new XMLHttpRequest();
+    }
+  catch (e)
+    {
+    // Internet Explorer
+    try
+      {
+      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
+      }
+    catch (e)
+      {
+      try
+        {
+        xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+      catch (e)
+        {
+        alert("Your browser does not support AJAX!");
+        return false;
+        }
+      }
+    }
+    xmlHttp.onreadystatechange=function()
+      {
+      
+      var result = xmlHttp.responseText;
+      if(xmlHttp.readyState==4)
+        {
+        	
+        	
+        	document.getElementById("responseTitle").innerHTML="Response from: " 
+        		+ document.getElementById("requestedURL").value ;
+        		
+        	document.getElementById("responseArea").innerHTML=result;         	
+        	
+        	document.getElementById("requestedURL").value=""; 
+        	
+        }
+      }
+      
+    xmlHttp.open("GET",document.getElementById("requestedURL").value,true);
+    xmlHttp.send(null);
+  }
+  
+  
+
+function populate(url){
+	document.getElementById("requestedURL").value=url; 
+	submitXHR();
+	
+	
+	var webGoatURL = "lessons/Ajax/sameOrigin.jsp";
+	var googleURL = "http://www.google.com/search?q=aspect+security";
+	
+	var hiddenWGStatus = document.getElementById("hiddenWGStatus");
+
+	var hiddenGoogleStatus = document.getElementById("hiddenGoogleStatus");
+	
+	
+	if (url == webGoatURL){	
+		hiddenWGStatus.value = 1;		
+	}
+	
+	if (url == googleURL){
+		hiddenGoogleStatus.value = 1;
+	}
+	
+	if (hiddenWGStatus.value == 1 && hiddenGoogleStatus.value == 1){
+		document.form.submit();
+	}
+}

webapp/javascript/toggle.js

@@ -0,0 +1,40 @@
+var iframe;
+
+function initIframe() {
+		var body;
+		var element;
+		
+		body = document.getElementsByTagName('body')[0];
+		element = document.getElementById('lessonPlans');
+		
+      	iframe = document.createElement('iframe');
+      	iframe.style.position = "absolute";
+      	iframe.style.visibility = "hidden";
+      	body.appendChild(iframe);
+        
+        // Configure the iFrame to border the lessonPlan
+        document.getElementsByTagName('body')[0].appendChild(element);
+        iframe.style.height = element.offsetHeight;
+        iframe.style.left = '275px';
+        iframe.style.top = '145px';
+        iframe.style.width = '474px';
+}
+        
+        
+function toggle(id) {
+		element = document.getElementById(id);
+
+        if (!element) return;
+
+        if (element.style.visibility=='visible' || element.style.visibility=='') {
+            iframe.style.visibility = 'hidden';
+            element.style.visibility = 'hidden';
+            element.style.overflow = 'hidden';
+            element.style.height='1';
+        } else {
+            iframe.style.visibility= 'visible';
+            element.style.visibility = 'visible';
+            element.style.overflow = 'visible';
+            element.style.height='';
+        }
+     }

webapp/lesson_plans/English/AccessControlMatrix.html

@@ -0,0 +1,9 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> Using an Access Control Matrix</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+In a role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control scheme normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow allow privilege escalation to an unauthorized role.  
+<p><b>General Goal(s):</b> </p>
+Each user is a member of a role that is allowed to access only certain resources. Your goal is to explore the access control rules that govern this site. Only the [Admin] group should have access to the 'Account Manager' resource.
+<!-- Stop Instructions -->

webapp/lesson_plans/English/BackDoors.html

@@ -0,0 +1,23 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> How to Create Database Back Door Attacks.</p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+How to Create Database Back Door Attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+Databases are used usually as a backend for web applications. Also it is used as a media of storage. It can also
+be used as a place to store a malicious activity such as a trigger. A trigger is called by the database management
+system upon the execution of another database operation like insert, select, update or delete. An attacker for example
+can create a trigger that would set his email address instead of every new user's email address.
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+* Your goal should be to learn how you can exploit a vulnerable query to create a trigger.<br>
+* You will not be able to actually create one in this lesson because the underlying database engine used with WebGoat doesn't support triggers.<br>
+* Your login ID is 101. 
+<!-- Stop Instructions -->
+

webapp/lesson_plans/English/BasicAuthentication.html

@@ -0,0 +1,9 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> Basic Authentication </p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+Basic Authentication is used to protect server side resources.  The web server will send a 401 authentication request with the response for the requested resource. The client side browser will then prompt the user for a user name and password using a browser supplied dialog box. The browser will base64 encode the user name and password and send those credentials back to the web server. The web server will then validate the credentials and return the requested resource if the credentials are correct. These credentials are automatically resent for each page protected with this mechanism without requiring the user to enter their credentials again.<br/>
+<p><b>General Goal(s):</b></p>
+For this lesson, your goal is to understand Basic Authentication and answer the questions below.
+<!-- Stop Instructions -->

webapp/lesson_plans/English/BlindSqlInjection.html

@@ -0,0 +1,15 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> How to Perform Blind SQL Injection </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack. 
+<br>
+Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.<br>
+<br>
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br>
+<!-- Stop Instructions -->
+
+<p><b>General Goal(s):</b> </p>
+The form below allows a user to enter an account number and determine if it is valid or not.  Use this form to develop a true / false test check other entries in the database.<br><br>Reference Ascii Values: 'A' = 65   'Z' = 90   'a' = 97   'z' = 122<br><br>The goal is to find the value of the first_name in table user_data for userid 15613.  Put that name in the form to pass the lesson.

webapp/lesson_plans/English/CSRF.html

@@ -0,0 +1,26 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Request Forgery. </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+ This lesson teaches how to perform Cross Site Request Forgery (CSRF) attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page that contains img links like the one below: 
+
+<pre>&lt;img src="<a href="http://www.mybank.com/transferFunds.do?acctId=123456" class='external free' title="http://www.mybank.com/transferFunds.do?acctId=123456" rel="nofollow">http://www.mybank.com/sendFunds.do?acctId=123456</a>"/&gt;</pre>
+
+When the victim's browser attempts to render this page, it will issue a request to www.mybank.com to the transferFunds.do page with the specified parameters. The browser will think the link is to get an image, even though it actually is a funds transfer function. 
+
+The request will include any cookies associated with the site. Therefore, if the user has authenticated to the site, and has either a permanent cookie or even a current session cookie, the site will have no way to distinguish this from a legitimate user request. 
+
+In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, or any other function provided by the vulnerable website
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/><b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
+<!-- Stop Instructions -->
+

webapp/lesson_plans/English/ChallengeScreen.html

@@ -0,0 +1,7 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> Putting it all together </p>
+</div><br/>
+<p><b>Concept / Topic To Teach:</b></p>
+This lesson creates a challenge that will help the student apply all that they have learned.<br/>
+<b>General Goal(s):</b><br/>
+Display the secret message.

webapp/lesson_plans/English/ClientSideFiltering.html

@@ -0,0 +1,12 @@
+<div align="Center">
+<p><b>Lesson Plan Title: </b>Client Side Filtering</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+It is always a good practice to send to the client only information which they are supposed
+to have access to.  In this lesson, too much information is being sent to the client, creating
+a serious access control problem.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+For this exercise, your mission is exploit the extraneous information being returned by the
+server to discover information to which you should not have access.

webapp/lesson_plans/English/ClientSideValidation.html

@@ -0,0 +1,15 @@
+<div align="Center">
+<p><b>Lesson Plan Title: </b>Insecure Client Storage</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+It is always a good practice to validate all input on the server side.  Leaving the
+mechanism for validation on the client side leaves it vulnerable to reverse
+engineering.  Remember, anything on the client side should not be
+considered a secret.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+For this exercise, your mission is to discover a coupon code to receive an unintended
+discount.  Then, exploit the use of client side validation to submit an order with a
+cost of zero.
+

webapp/lesson_plans/English/CommandInjection.html

@@ -0,0 +1,12 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> How to Perform Command Injection</p>
+ </div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+Command&nbsp; injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.<br/>
+Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.<br/>
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br/>
+Try to inject a command to the operating system.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b></p>
+The user should be able to execute any command on the hosting OS.  

webapp/lesson_plans/English/ConcurrencyCart.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+               
+  <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
+  <title>Lesson Plan</title>
+</head>
+  <body>
+ 
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> Shopping Cart Concurrency Flaw </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+ Web applications can handle many HTTP requests simultaneously.  Developers often use variables that are not thread safe. &nbsp;Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time. Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently. <br>
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase merchandise for a lower price.
+<br>
+</body>
+</html>

webapp/lesson_plans/English/CrossSiteScripting.html

@@ -0,0 +1,12 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.<br>
+XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it. 
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b></p>
+For this exercise, you will perform stored and reflected XSS attacks.  You will also implement code changes in the web application to defeat these attacks.
+<br>
+

webapp/lesson_plans/English/CsrfPromptByPass.html

@@ -0,0 +1,33 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b>CSRF User Prompt By-Pass</p><br/>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+This lesson teaches how to perform CSRF attacks that by-pass user confirmation prompts.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+<p>
+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page 
+that contains a 'forged request' to execute commands with the victim's credentials.  Prompting 
+a user to confirm or cancel the command might sound like a solution, but can be by-passed if 
+the prompt is scriptable.  This lesson shows how to by-pass such a prompt by issuing another 
+forged request.  This can also apply to a series of prompts such as a wizard or issuing multiple 
+unrelated forged requests.</p> 
+
+
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple 
+malicious requests: the first to transfer funds, and the second a request to confirm the prompt 
+that the first request triggered.  The URL should point to the CSRF lesson with an extra 
+parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the 
+left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever 
+receives this email and happens to be authenticated at that time will have his funds transferred. 
+When you think the attack is successful, refresh the page and you will find the green check on 
+the left hand side menu.<br/>
+<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
+<!-- Stop Instructions -->
+