From 71460125b69853bc66650e558f1f1ff87f561267 Mon Sep 17 00:00:00 2001
From: mayhew64 <mayhew64@4033779f-a91e-0410-96ef-6bf7bf53c507>
Date: Wed, 9 Jul 2008 00:17:20 +0000
Subject: [PATCH] Separated DB usage for messages in CSRF and Stored XSS Many
cosmetic english changes Fixed IE rendering for Challenge
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@350 4033779f-a91e-0410-96ef-6bf7bf53c507
---
.../owasp/webgoat/lessons/AbstractLesson.java | 2 +-
.../org/owasp/webgoat/lessons/CSRF.java | 20 ++++++++++-----
.../webgoat/lessons/Challenge2Screen.java | 24 ++++++++++--------
.../owasp/webgoat/lessons/LogSpoofing.java | 2 +-
.../webgoat/lessons/SessionFixation.java | 23 ++++++++---------
.../webgoat/lessons/SqlNumericInjection.java | 15 ++++++++---
.../org/owasp/webgoat/lessons/StoredXss.java | 20 +++++++++------
.../org/owasp/webgoat/session/CreateDB.java | 2 +-
.../org/owasp/webgoat/session/WebSession.java | 13 +++++-----
.../WebContent/css/webgoat_challenge.css | 17 ++++++++-----
.../WebContent/images/introduction/Thumbs.db | Bin 9728 -> 0 bytes
.../WebContent/lesson_plans/HttpOnly.html | 1 +
.../WebContent/lesson_plans/TomcatSetup.html | 10 ++++----
main/project/WebContent/webgoat_challenge.jsp | 20 ++++++++-------
14 files changed, 99 insertions(+), 70 deletions(-)
delete mode 100644 main/project/WebContent/images/introduction/Thumbs.db
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
index 5f933c25c..7af2d7439 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
@@ -59,7 +59,7 @@ import org.owasp.webgoat.session.WebgoatProperties;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
-public abstract class AbstractLesson extends Screen implements Comparable
+public abstract class AbstractLesson extends Screen implements Comparable<Object>
{
/**
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
index dbfd7ecfe..e661e06a3 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
@@ -87,7 +87,7 @@ public class CSRF extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
- String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
+ String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
@@ -95,6 +95,7 @@ public class CSRF extends LessonAdapter
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
+ statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e)
@@ -170,11 +171,17 @@ public class CSRF extends LessonAdapter
{
Connection connection = DatabaseUtilities.getConnection(s);
- Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
- ResultSet.CONCUR_READ_ONLY);
+ // edit by Chuck Willis - Added logic to associate similar usernames
+ // The idea is that users chuck-1, chuck-2, etc will see each other's messages
+ // but not anyone elses. This allows users to try out XSS to grab another user's
+ // cookies, but not get confused by other users scripts
- ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
- + getNameroot(s.getUserName()) + "%'");
+ String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
+ PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+ statement.setString(1, getNameroot(s.getUserName()) + "%");
+ statement.setString(2, getClass().getName());
+ ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true))
{
@@ -223,11 +230,12 @@ public class CSRF extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
- String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
+ String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
+ statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first())
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
index 23e650d92..924767fb8 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
@@ -252,6 +252,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
if (v.size() == 13)
{
s.setMessage("Congratulations! You stole all the credit cards, proceed to stage 3!");
+ s.setMessage(" - Look in the credit card pull down to see the numbers.");
ec.addElement(new BR());
// TR inf = new TR();
Center center = new Center();
@@ -340,7 +341,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
ec.addElement(t);
} catch (Exception e)
{
- ec.addElement(new P().addElement("Select a message to read from the Message List below"));
+ ec.addElement(new P().addElement("Error in obtaining network status"));
}
ec.addElement(new HR());
@@ -557,7 +558,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
String instructions = "Your mission is to break the authentication scheme, "
+ "steal all the credit cards from the database, and then deface the website. "
+ "You will have to use many of the techniques you have learned in the other lessons. "
- + "The main webpage for this site is 'webgoat_challenge_<username>.jsp'";
+ + "The main webpage to deface for this site is 'webgoat_challenge_" + s.getUserName() + ".jsp'";
return (instructions);
}
@@ -623,18 +624,19 @@ public class Challenge2Screen extends SequentialLessonAdapter
ElementContainer ec = new ElementContainer();
- Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
+ Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("80%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
+ String[] colWidths = new String[]{"55", "110", "260", "70"};
TR tr = new TR();
- tr.addElement(new TH().addElement("Protocol").setWidth("7%"));
- tr.addElement(new TH().addElement("Local Address").setWidth("80%"));
- tr.addElement(new TH().addElement("Foreign Address").setWidth("10%"));
- tr.addElement(new TH().addElement("State").setWidth("3%"));
+ tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0]));
+ tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1]));
+ tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2]));
+ tr.addElement(new TH().addElement("State").setWidth(colWidths[3]));
t.addElement(tr);
String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp");
@@ -672,12 +674,14 @@ public class Challenge2Screen extends SequentialLessonAdapter
{
// in order to avoid a ill-rendered screen when the user performs
// command injection, we will wrap the screen at 4 columns
- int columnCount = 4;
+ int columnCount = 0;
tr = new TR();
+ TD td;
StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t ");
- while (tokens.hasMoreTokens() && columnCount-- > 0)
+ while (tokens.hasMoreTokens() && columnCount <4)
{
- tr.addElement(new TD().addElement(tokens.nextToken()));
+ td = new TD().setWidth(colWidths[columnCount++]);
+ tr.addElement(td.addElement(tokens.nextToken()));
}
t.addElement(tr);
}
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java b/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
index 2181706f8..98a1bb3ae 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
@@ -134,7 +134,7 @@ public class LogSpoofing extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
- hints.add("Try to fool the humane eye by using new lines.");
+ hints.add("Try to fool the human eye by using new lines.");
hints.add("Use CR (%0d) and LF (%0a) for a new line.");
hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin");
hints
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
index 74305ed19..31e8caf74 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
@@ -107,7 +107,6 @@ public class SessionFixation extends SequentialLessonAdapter
String randomSid = randomSIDGenerator();
s.add("SID", randomSid);
this.sid = randomSid;
- System.out.println("RANDOMSID " + randomSid);
}
String name = s.getParser().getStringParameter(USER, "");
@@ -245,12 +244,12 @@ public class SessionFixation extends SequentialLessonAdapter
String link = getLink();
String mailText = "<b>Dear MS. Plane</b> <br><br>"
+ "During the last week we had a few problems with our database. "
- + "A lot of people complained that there account details are wrong. "
- + "That is why we kindly ask you to use following link to verify your "
+ + "We have received many complaints regarding incorrect account details. "
+ + "Please use the following link to verify your account "
+ "data:<br><br><center><a href=http://localhost/WebGoat/"
+ link
+ "> Goat Hills Financial</a></center><br><br>"
- + "We are sorry for the caused inconvenience and thank you for your cooparation.<br><br>"
+ + "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"
+ "<b>Your Goat Hills Financial Team</b><center> <br><br><img src='images/WebGoatFinancial/banklogo.jpg'></center>";
ElementContainer ec = new ElementContainer();
@@ -738,22 +737,22 @@ public class SessionFixation extends SequentialLessonAdapter
{
instructions += "You are Hacker Joe and " +
"you want to steal the session from Jane. " +
- "That is why you have to send a prepared mail " +
- "which looks like an official mail from the bank" +
- "to her. The mail is already prepared. Only " +
- "thing missing is a Session ID (SID) in the Link. Alter " +
+ "Send a prepared email to the victim " +
+ "which looks like an official email from the bank. " +
+ "A template message is prepared below, you will need to add " +
+ "a Session ID (SID) in the link inside the email. Alter " +
"the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
}
else if (stage == 2)
{
- instructions += "Now you are the victim Jane who received the mail you see. " +
- "If you point on the link with your mouse you will see that there is a SID included." +
+ instructions += "Now you are the victim Jane who received the email below. " +
+ "If you point on the link with your mouse you will see that there is a SID included. " +
"Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 3)
{
- instructions += "As the bank kindly asked to verfy your data you have to log in to see if your details are " +
- "correct ;). Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
+ instructions += "The bank has asked you to verfy your data. Log in to see if your details are " +
+ "correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 4)
{
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
index d29fb0222..9f0172a47 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
@@ -128,7 +128,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{
makeSuccess(s);
getLessonTracker(s).setStage(2);
- s.setMessage("Start this lesson over to attack a parameterized query.");
+ StringBuffer msg = new StringBuffer();
+
+ msg.append("Bet you can't do it again! ");
+ msg.append("This lesson has detected your successfull attack ");
+ msg.append("and has now switched to a defensive mode. ");
+ msg.append("Try again to attack a parameterized query.");
+
+ s.setMessage(msg.toString());
}
}
else
@@ -222,9 +229,9 @@ public class SqlNumericInjection extends SequentialLessonAdapter
ec.addElement(new P().addElement("Select your local weather station: "));
- Map stations = getStations(s);
+ Map<String, String> stations = getStations(s);
Select select = new Select(STATION_ID);
- Iterator it = stations.keySet().iterator();
+ Iterator<String> it = stations.keySet().iterator();
while (it.hasNext())
{
String key = (String) it.next();
@@ -244,7 +251,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
*
* @return A map containing each station, indexed by station number
*/
- protected Map getStations(WebSession s) throws SQLException, ClassNotFoundException
+ protected Map<String, String> getStations(WebSession s) throws SQLException, ClassNotFoundException
{
Connection connection = DatabaseUtilities.getConnection(s);
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java b/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
index 9e395041d..35c7b6606 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
@@ -96,7 +96,7 @@ public class StoredXss extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
- String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
+ String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
@@ -104,6 +104,7 @@ public class StoredXss extends LessonAdapter
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
+ statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e)
{
@@ -204,11 +205,12 @@ public class StoredXss extends LessonAdapter
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
- String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
+ String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
+ statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first())
@@ -305,7 +307,7 @@ public class StoredXss extends LessonAdapter
* Description of the Parameter
* @return Description of the Return Value
*/
- public static Element makeList(WebSession s)
+ public Element makeList(WebSession s)
{
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
@@ -313,16 +315,18 @@ public class StoredXss extends LessonAdapter
{
Connection connection = DatabaseUtilities.getConnection(s);
- Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
- ResultSet.CONCUR_READ_ONLY);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
- ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
- + getNameroot(s.getUserName()) + "%'");
-
+ String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
+ PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+ statement.setString(1, getNameroot(s.getUserName()) + "%");
+ statement.setString(2, getClass().getName());
+ ResultSet results = statement.executeQuery();
+
if ((results != null) && (results.first() == true))
{
results.beforeFirst();
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
index 852f2859c..793607bf6 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
@@ -66,7 +66,7 @@ public class CreateDB
try
{
String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
- + "message varchar(200)," + "user_name varchar(50) not null " + ")";
+ + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")";
statement.executeUpdate(createTableStatement);
} catch (SQLException e)
{
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
index a76cc35bf..45392ee8a 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
@@ -168,6 +168,7 @@ public class WebSession
private boolean isColor = false;
private boolean isDebug = false;
+
private boolean hasHackedHackableAdmin = false;
private StringBuffer message = new StringBuffer("");
@@ -363,11 +364,11 @@ public class WebSession
public String getCurrentLink()
{
String thisLink = "attack";
- Enumeration e = request.getParameterNames();
+ Enumeration<String> e = request.getParameterNames();
boolean isFirstParameter = true;
while (e.hasMoreElements())
{
- String name = (String) e.nextElement();
+ String name = e.nextElement();
if (isFirstParameter)
{
isFirstParameter = false;
@@ -428,7 +429,7 @@ public class WebSession
{
params = new Vector<Parameter>();
- Enumeration e = getParser().getParameterNames();
+ Enumeration<String> e = getParser().getParameterNames();
while ((e != null) && e.hasMoreElements())
{
@@ -448,9 +449,9 @@ public class WebSession
return params;
}
- public List getCookies()
+ public List<Cookie> getCookies()
{
- List cookies = null;
+ List<Cookie> cookies = null;
if (showCookies()) cookies = Arrays.asList(request.getCookies());
@@ -669,7 +670,7 @@ public class WebSession
public LessonSession getLessonSession(AbstractLesson lesson)
{
- return (LessonSession) lessonSessions.get(lesson);
+ return lessonSessions.get(lesson);
}
/**
diff --git a/main/project/WebContent/css/webgoat_challenge.css b/main/project/WebContent/css/webgoat_challenge.css
index b72336e5a..0633cedcc 100644
--- a/main/project/WebContent/css/webgoat_challenge.css
+++ b/main/project/WebContent/css/webgoat_challenge.css
@@ -6,8 +6,9 @@
}
#top_ch{
- height:86px;
width: 500px;
+ height:136px;
+ background-image: url(../images/header/header.jpg);
}
#wrap_ch {
@@ -19,22 +20,24 @@
}
#start_ch {
- height: 300px;
- padding: 10px 50px 10px 50px;
- font-size: 12px;
+ height: 350px;
+ width: 500px;
+ padding: 10px 10px 10px 10px;
+ font-size: 15px;
}
#warning_ch {
border: 1px solid #666666;
padding: 10px;
font-size: 10px;
color: #FF3300;
- width: 400px;
- margin-left: 50px;
+ width: 450px;
+ margin-left: 5px;
+ margin-right: 5px;
}
#team_ch {
}
.style1_ch {
- font-size: 10px;
+ font-size: 11px;
font-weight: bold;
}
.style2_ch {
diff --git a/main/project/WebContent/images/introduction/Thumbs.db b/main/project/WebContent/images/introduction/Thumbs.db
deleted file mode 100644
index 94a125e02b209b54e971f9bd81f5baec0cf73812..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 9728
zcmeI2cUTn3w!oVtNkEVwL6ES@g20l4!iX*mm~hBB2aybt!vH3tpePu?AxKgXkt9Jt
zQHCG_1CntF3X+H5IKYHgW4Ld3-+lM<?tAx-{k|>cH{CsTs_LAo>eE$y=;`L1$SD_?
zg#M7UAUcRlVTN}6=64!!PUTD51wpjngnCV;P$*x2gdlMGclrzU014>I`E3m8!I1$#
z9dkwi6Mz}O0$>H~1h4_v0UQ7@1-^_ub^QNMf6X2+gnYo?d1xP`19^j^KNJc^^~V!0
zm@(fir}~3`m3%9d%d3;yXy|}Yv*1@r`F~a52lD74TAJ_eQ;$DT<cmlYby9<*@b&Pg
zzp3q0eIV7QA8lU>$ZmggtcriS<*x<5+fTiBf3$sFAbW~>V}nH1ojPt*{r}AUPxT#K
zfZYIY01to{zz5g^;0Fi*sKYG;*b5K_hyeBhL;+#|aexHiC%}Hd0e~dnX8_f|NQ2`+
zfDAwuAP4vbK%GC-F{JjR5<nTC0#F600n`B+fJ1=808M}v00uY$&;}d@90U9c&;d}}
zgM*_UKp$`%Z~|}=a0+l5U;sD+KmZH@MgU`g3BVL!1~3O$04xDk0Be8^z!qQ!um?B*
z905)MXMhX972pOq3vdUV19$+adU=7P_qTKEc>iA$)u+<{{K5S|8KO);yN>JX>q0bO
zQrlA%q>O^Dp`)dxen6rJ9|k4{26}o17DmP$OgmY2?qp?QWo2XM+Qr7s$<E5Ui+302
zZf+hPo}C<gdw99`aB=f+Q!AmN17+wLm>C$Dx!G9Rxc}`$X@)qNK;PTb(TG8`oHTTt
zG?bUrc|^kiw52NiEz!^d9d|G?F|)7&fvR2L4yB``rKh864WuJMK19#Sz$GfLy<<1R
zfl<tlTOsCJ4wLxN^5;B;y*LR)NB>x67GAzR`~pAiKOp(Dl#;TFs+zjSv0rs`;d=VV
zjf_o9&CD$<ot#}<-Ojq73pgJb6dV#7cH!cs%U9y!6RxM-xS5`D>-L@8y!-hDg+;{=
zo>Wv;Ro6VNt$We(@>MIkt-S-&*Z+24aA<gBa%%ehhnd-rbMvcf>l>f&p9z~=RJ&*(
zy02#a!?Hiv#R=@9rKhK(XQbLiLmLdB<D_R0mEXaojbL=}+byOL!^C~`T2A?MW^qMB
z9FL=aFAJ}P(&SI8RMWm#_G5;{{wd4;Vc37$H3IFVqXC0Q#|du0ZJ03$)gV&xW`F&?
zDR<g~;djj2M`|Je#+eGACYO~fpI0xYb?Yz&FT3cyiF%MXkY9xx+j_g!Fyj02{%#44
z`eG@K@*{adJEw7v(%_g<xdVK47vtRmcUSt!G-eB{>MXZ>;1|5Ay`$bnU)xeq-I%*3
z9xb<c4YvtrJVSw+o5)qio1R>W=F4gNdKH#7pN^2??RTVUoEsNWQYm)6mf@wl>jEKB
zCn3ehY_k)8hHUgY18<HK*igk1cqq_7F(2L@r?BC%LS&&p3ugJrNBfgVjWSQ)EcH&W
z&y5+9sz>>^&xZ#j52tuXDq=FKi;0tqImE&n=b9>NE-4M=g=-!%>>t0&CZyV%gIHKk
zWiy1)S4v*YkB~1_X=aHj8g(HoWh|}O_IZifz80&g<>TUfdeGKNC~VaX_M{9pn~D8A
z=N@i}dINJ~M<-fFaP<hQ+uE?2R7)C*wIf;i+MmP3g`CQiDu}|prEXc`xaCqmZnyX8
znn%Z&86V3s5s#FeC3iGXpnCyGY<}Lh)H*q|ivmTZr+C0-IH+}^E?HV1jERsh(K7Or
zF0!&0*0OaLTHlzeR-!-`1?X2__6=c&52f!=m%Wxi({uge)u^g@kzq5``Wv6^jY_18
zEwWp^X$6D9SCAdH)$nSknC^}rGH^ofNY`o?o^uoItnMWZw7ogy{_as$LFL)QiPHy<
z8Yrl6KFqx7blKsfrpNA<-JKry&tje&UM;Pj-re>(IgZe=>9$EaWQvY+;o~zsy`3%N
z^YlJfYIZC-+h8`~ws&i_&L~Z;^|4uN125;%ga>Wg@n~P;YYUquuP~MTd5&^2w#uzj
zbh{KO(7dwUaZF{h%Z#~CmCjIRyo6pq9hyF&Pnf;@jES=JhU<IIKw%_HmafqWIgUE0
zE;;8+ezahD40c0V4)2}N`!Z_W+sTzBQ;T_DD&ypx+Yx;BHVIhl?&SNdMTD9AT01M{
za|KC9melFTMb)zpx=<je5p-CEcFD-Aa}S@kibX8FcUB2$HzlUz+XP{pu=N)4K|(6d
zX(?sOQX%_$={T15>Mb{`*Cov|DqRl|Xobt*M?Y=WICwjuPoCiwz3L@wy*Mx#Ata<X
zD^m6}-wb1&TKD=S{ES3e%0Qt3g9RLe-&Sjl>J>(kqBdG4!jDO-^#?+F`#36fV$hhx
zONpjihgJPnVpj`JPWv<Kbt%m1Y#-7+iMc5e3k!Mn?9?fr$@*}26U^F%<e`S9$^vXh
z$vjJT%VkIZuqVRr`mGO!s$O!4T{zvB8^4s?J)Ei=e>w6cq^o*WuiMA+W1w2;`O&VQ
zy_a4+HIKf|&t%h_@kUjZu6Q%R+V;X^{iP>;vf|GgcG|;rEZ&c1<*C2${UwCIRK~1@
zPvPBgS3r^V1*Ic#7}p5<YPBJ~`G8E*G(>%cVq$s*+^w*E(!%Sw^{A!$96y}1%m1|B
zXM>$#;cq`)xiG-TIW`oBqKSJNA$(fBd!XSxL3f%f?vr5a2n+3KE8|Jho5p*Uj|sA&
z`wbKgpGlSQ*ZS0BANYsvA%>ai78bj2)m-t+VRl2h37tw8w(hFAZm{0HVA?b(icwi6
zV`@eRgEI-lg>G?NRD$69x5^*ZubM<WroA>O<Y(oD%k52b!#5W3sqeWX3$vsT^z{gH
z=`ZG1?L8%)DTS6UKY)8U3cruK(KKm&G(xH>{%xB1Tf~*XJEEw88u(>nNNYUEZ+?{m
zB|~0b!q=k=DbOXsukz+tT(TUIJWheIejs1ucUO?-(l=?t{%BzXj(*Yv8MWkROo1i^
z>^4dD6sU2U0tu9<T&xaG?@N3b&$2AIx2L#mnI_wn<8p**LHFdiu)B=O2Nl1)ukJQ@
z-22qTj-uy!E+)!B8|s&}7$lcH)39=!kS3hs;pQOo>}5PprGrGmc*lgKNC+)+tA=Uo
z%~gTDu1lp$OUpdyLxq>7j5cJmg{vxyPcIF1D2qBj3Kot)VUgP(duQ88pMgHfehbq#
zJXjOU>EBt4L>?~WxThgIR%180qsmh`y<cX)`Rp~TR0+qzwSAm~0TtI8T`cOrXDoS3
zDRd1PNr6`KEKnY4<Zvs{A6Rmg+{k<2#s(<RXHa*k&Mg}O+dnkt8u`dzbIFGSA(31C
zzdg6O)LZynr*AqA_<X6Z`dfAS_*&R(RTGH>+&sdSPZ#w~6SR{k!|l6!6<!V?f7kqp
z-^;^q5sVP4s(9OL^uD8lt}(Pt!|NAWG|H#d9(|m%?A@ap7D|Dl%Lv9~W|39+N7ScT
zK60$I4^P8<)q!03WF<_nn>s0_gaUQH$)Z3JWduX5#1ajKyQPPB>`^me+%(fqkT+UF
zIh#GP8GbcFP&BHnwa7qR>R7GTuPJ*UQYx|-=|+w^zq0)S`J(PHB0;la@xrj|;w-HE
z6KZp_uW98b1!DQ##m7}$NqqMc4(Ixc__w7I$J_&5tJmDun3>JA^z8G*d;GAa?!cEV
zz}D9bkyvRmPw!L`V#&@~xc!f+B7Ud189YHAULBbl{?j;$GW_+O0(IrK0`^0Hh4rW2
z-|NqB>*~M!`g7~TOBj2DqF<nI&6>qtZI`v!v9WtH&71zmch@g(Og)%KF*h)~$z%rW
zdod)Bd0cmsT4t2_ka}yrh4Eee&t=N`k7RlG*BYzI*Ie_S&x2Oe(g<5-+N79}HF4Cg
z(YR>(Uwc|mewj$ArKH)tf<fxmj-T{}9VWVmXPfWs+qUp<tu@D<Q@)xb3eok}us_o<
zGi-V?7(G~!RYZX%f+>(?ecXKkjmA!&CHJ5Fst@hUE(j0gpWW=IKqEDF^)Ot*d`Lid
zTa%n7*{5*!xXEm!1X=*$VV-x%ZaA^Iv+s0240i~4LPNR5w-Yz#3g<-#f;Khy(!tE4
z2$|v~1*Xr7)->p@&vgM?CW&RN=Zv}(bslv22s(A@ROk-39k{MOExuZWe+#>vu{cRA
zn#{ll;2h8QtxzDGO1|Cj%JaECgGR7&?wD_yWE*&K95%V{sqFC3X%sIXZnO<NYJ72*
zpU}G5WTp-~;h8ptv()mJ3W={ZGY^Sp*hNQi*{1Vh3H*j-%}p!^POxH$tdAb_y{OAn
zNJp96`2c(B*^4}*XvOKSEv9qUVhCdObVyq`G19$xYg2q^!fXO{X)r%|mdw!Kjtgkf
z(>>@7)RL+%TYN=<P(k3?!X`4DNP)DLfVUK|#n`=WxvrU#MbyHiaNFe`F{L$cn-^<c
zT+J%68Z6oxv`JX+D`_bVx#}RZK57+zLT^FA>8h_W{JI+2cJ|In>9Tlzta^^0grTI1
zL(heG&pv8$@Ol_!<4E}*-d3T9yxpp9vs7>U=frJvvfPsv;f3y2?X|w?g(mIixD_TW
zH5=XZVFCB3uEF{QX+hIdgEXR6tJJ+aUjLMnsT7m_PTa)y`BFj^n-jg}{g$(njYI6q
za0+Bi=6R?SVEwUNmXS!diE^Vr33+s6q-+ydwZ1YoM)>|nMm7zKK&&HnQy?A$Lgxiq
z+8rl-Y+z$MeE1WatGc(NzV)#p4M_>QXh!WN8wn)K`MBOQC(a*D@}Guv)XA|?ptffP
z$iYhF7E`Iz@IcYMq;|s#mU;08Y?cJ?Mf5q0Li--48KLz%<z`jbO(rzZx~UXVl7HYp
zkUMv7No;~-v7}^f0`#3R9F~|k;zkMw_GKqv%Gm1&dBHgn>BXT1n?a)v$-?vY(@74|
zG39;bno^_0lW)^Qo%q6z$QQYCo!c!9g*iuNP8Ba7AKLH=CLfijK!b7%#vXTj8@xP9
z-)VDa;MZ*$j{VG?)DmpSebYK6f@Mz8ur)S8QTOZ~gznich#PT7@dyLAYf=wQ;mIDW
zUrmg&q9Z!kEcw=GPq(dwkr$DdxJ^`+B`P^;I#Ywt*LpUch(BXTjJ6JtaFV$<n_-oO
z8wT4G2vR;Q7m1}!kbKIBzd?=%bByJCmJT08#-Ms(D>3lzS(3REBH!wuW+7K%bhxcK
zs1HAozQ2Fb2Jhqke*XRa{^g&(So#mWe^E3fXyPc4ajjfv!0d6R?%TdeA$y<?0ZBn~
z#@;YD*yXzW9sK<FttUmF8ZRtnn~)B*AjZd(-@bZtZyA1zzjB6)CQ}kS>yUEVuWc{G
zc>#$!n*^Eu?Sg(i(PhVrFRi`jYW&dJ@9OvJ!}Z!TJD3+F^U~~weI_yItLwmnqXImc
z(6~<;R^!MC#3Lf%PO}g)|JuA_%IuL<<(Sm{-cR7Re#H66DuWr9aJ3*fOH+kiG~azb
z7=hcpYg>aLpmq!G<GV~FRj?RsP~c}XMTmWM3mW8ajRLzT0Rw`bCzG1Ty{GfY){Ls+
zuMeJ1M}kNmLrU-!+H(48<=mqvgHI7}6JfD+(pT0iIVz@9q-#tSxP~S~QUgDAg>Bt6
zg-CVs_gcZmsSLg)N2EZ&Z^ej^!Zb?_W}M!qIEN~upLdBd-#1s1tNgX7<Z7T{QrA^&
zLH1w5XD;A!pG&+53AOOmaw_563JqL<eQa7MiIC}$pFUC`9q^n22b?&l`oxGqJ-Z$r
zjv9^-!;Lz<sZ6J<k&qd{aTNF}ZkoI&oS1YLXI2GU59MKGF4zNXAPJnn_vO<L!dAal
zI2X`e&u)%~^Gv4k=D0Wrbt)5E--&Xo)a>8S@~~ah+D&+>vdYVG3T>P|z%L$i86$S1
z*xT6IUwb}m5SBNlPf9CTtkuIeC+OM2Pjjp=p5Zu$t<5ls^hdaJHB3onIsLNYQ$NVi
zjMhTM7o{)eKaqJgwJkZ7q$hqmdITf$0(z~H>6T(0-oHkuFwlv6keAUuioZzDVHZV#
zZn|6AoeSy_8+Yfj?$DhH5!LH=cH5&qTVq*^U%0+Ht8-VTe+rh7s=f*KbjOeV;<)O4
zS1BQ{lb?Sku-m|=WxdFocr4FOS1c>G*j{(E^x}H*uu&hQ@+gxz&GrqEXbLnXxn`xl
zW&~SKA&aF7*%2kS0+UW~p=)>X>>L!W3#$-H+v;UZEcxJY3t^;oP}bxzqfty(P?R><
zE;0k(4N9f#1KmmwmJMKhIZv`Hh18*6OZMufyrHQ*ead5QB>i?&yU4v_-`Th$2gfyV
znkgTwTt_v%rVl&a6d~$J#>cc>qWLreBP1Mg85@POb+_qv?EIj&9I2ytc7w;2_)D$e
z4Y@XrNQ1`@Hg4;!Qy|7rxg98;F$~(%-f(%p6yJL_{&w-Tha)eO?u<7-xie)>EBQJA
zwVdKNnmLuzLsSjWN-oqZfc?CbcZgM0{Y)5jnaTZmtxG;jO!7e@eT?2dNPp^))f3*<
zqalyTZ+dx^;l|wxi~iG^!MyFnb03=G13S^FqjOU(NwkQ4rcQ&H%8Zr)7USinpH7F~
zM!rC?C%b!c>!{@M@5M~eMm1Lbv`aRB3OeE?byVg3<7)o*nLC}zj=T3a{Hn^a7|+g#
z@T{t^H*D79JuzI9ITLzedhSjYDYt3-E_urm3c9!A=UJ+p+0)s3bBgZ3-jHLahpRwe
zb0M)!<QESp(Al!juAr~eQ<iwhi`dVY9<jmnru7#F+hF59g!oWK#HEqJY{&DMZR;TG
zRY~AA;`buaV$aUhh%>dXaWp(#Mh^2ZXoW^>)<jP*px<bdjXO@>_m2`;^+tK+n-6y?
zzz_4T>UMPXFYcA!C^aV{oTMrw9!!SaY)8-8I!$6L&h@yb8cce4+@84%!*-V6IVss9
ztVre=8X;ILW?yGTvRP@<qoO47QceBr9Md+}^9Ac+uaLJp1+MpznR`-pjVemTo=}yd
ztu~l5)tR$rif@B0qHvEq$ei0rqbLGA8~6)!+Pd6wd7sZ`BunHHDlR|SbYQqNZvJG<
z`qqGLXZNbzjK>n+#_e9xV=x2xK(81O5cn1fbl8r(37a(MP2buu{a7)4cr9r;^;FH_
zE!TpzPpGXOO<&vy-WHiafqua!Zk-(7b^u*02c|O$m$!6<9MVKuL%t|)c;-fqDf{ZQ
zavoyOjToQl+@B@Yit%){2)6e+pf+|W=2*T<I9Zzb+_({y(;xXy^{`kS9&0#<Jsa4@
zDB^NAg&3BF7X&X3kVJ;NU|CvHk}TVa^@Od1#rH}Ynfo_&n20<c1BP{i9nC>3(Ztk7
z+K8{wq5sxs(3M4nS@PDnPU@p}qM$$u^VvfC?xCC|a&u``V?W|o@_sd<q{=p;W+Xw1
zg{`sQ3lEl&D%*zKj1Mjl5IT@-@7xwOQxY0o(#85<5+v!qt*E{%tA6-v7x+&HIv{QT
z4QfpBOC;%0xo!!FRqKK1crb|U`GCk?0Eo`nfk>k)h{*YViO_wGLDGUU(Elng|3BoZ
z?Lm$~C;oZ;3cr)5ivB0lF%W?~5AXyQQe%$)ZUWJ@f5iW(vB)1O?+Jvme?;&HWqun2
O{lOytuVR1Y_WuhA_64~B
diff --git a/main/project/WebContent/lesson_plans/HttpOnly.html b/main/project/WebContent/lesson_plans/HttpOnly.html
index 535439d3c..aea12470c 100644
--- a/main/project/WebContent/lesson_plans/HttpOnly.html
+++ b/main/project/WebContent/lesson_plans/HttpOnly.html
@@ -8,6 +8,7 @@ introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
set, then the browser should not allow client-side script to access the
cookie. Since the attribute is relatively new, several browsers neglect
to handle the new attribute properly.
+<p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a>
<p><b>General Goal(s):</b></p>
The purpose of this lesson is to test whether your browser supports the
HTTPOnly cookie flag. Note the value of the
diff --git a/main/project/WebContent/lesson_plans/TomcatSetup.html b/main/project/WebContent/lesson_plans/TomcatSetup.html
index 1c98d770f..ef5f0dda9 100644
--- a/main/project/WebContent/lesson_plans/TomcatSetup.html
+++ b/main/project/WebContent/lesson_plans/TomcatSetup.html
@@ -1,12 +1,12 @@
<!-- Start Instructions -->
<h1>How To Configure Tomcat</h1><br><br>
<h2>Introduction</h2>
-<p>WebGoat comes with sane default configurations for Tomcat. This page will explain the configurations
-and which further possibilities you have to configure Tomcat. This is just
+<p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations
+and other possible configurations for Tomcat. This is just
a short description which should be enough in most cases. For more advanced tasks please
refer to the Tomcat documentation. Please note that all solutions
-are written for the standard configurations on port 80. If you use another configurations you have
-to adjust the solution to your configurations.</p>
+are written for the standard configurations on port 80. If you use another port you have
+to adjust the solution to your configuration.</p>
<h2>The Standard Configurations</h2>
<p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
@@ -52,7 +52,7 @@ In this example to port 8442:
<h3>Make WebGoat Reachable From Another Client</h3>
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
-SAVE NETWORKS!</p>
+SAFE NETWORKS!</p>
<p>By its default configurations WebGoat is only
reachable within the localhost. In a laboratory or a class
there is maybe the need of having a server and a few clients.
diff --git a/main/project/WebContent/webgoat_challenge.jsp b/main/project/WebContent/webgoat_challenge.jsp
index 18e1192f0..61d6795b9 100644
--- a/main/project/WebContent/webgoat_challenge.jsp
+++ b/main/project/WebContent/webgoat_challenge.jsp
@@ -10,20 +10,22 @@ WebSession webSession = ((WebSession) session.getAttribute("websession"));
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.2</title>
-<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
+<link rel="stylesheet" href="css/webgoat_challenge.css" type="text/css" />
</head>
<body>
-<div id="wrap">
-<div id="top"></div>
-<div id="start">
-<p>Thank you for using WebGoat!</p>
-<p>This program is a demonstration of common web application flaws.
+<div id="wrap_ch">
+<div id="top_ch"></div>
+<div id="start_ch">
+<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
-application penetration testing techniques. </p><p>The WebGoat project is lead
+application penetration testing techniques. </p>
+<p>The WebGoat project is lead
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
-<div id="team">
+<p>Thanks to <a href="http://www.ouncelabs.com"><img align="top" height="20" width="160" border = "0" src="images/logos/ounce.jpg" alt="Ounce Labs"/></a> for supporting Bruce on the WebGoat Project.</p>
+
+<div id="team_ch">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
@@ -107,7 +109,7 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
<div align="center" class="style2"> </div>
<div align="center" class="style2"> </div>
<div align="center" class="style2"> </div>
-<div id="warning">WARNING<br />
+<div id="warning_ch">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack. You should disconnect from the network while using this program.
<br />