Separated DB usage for messages in CSRF and Stored XSS

Many cosmetic english changes
Fixed IE rendering for Challenge
 

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@350 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/css/webgoat_challenge.css

@@ -6,8 +6,9 @@
 }
 
 #top_ch{
-	height:86px;
 	width: 500px;
+	height:136px;
+	background-image: url(../images/header/header.jpg);
 }
 
 #wrap_ch {
@@ -19,22 +20,24 @@
 }
 
 #start_ch {
-	height: 300px;
-	padding: 10px 50px 10px 50px;
-	font-size: 12px;
+	height: 350px;
+	width: 500px;
+	padding: 10px 10px 10px 10px;
+	font-size: 15px;
 }
 #warning_ch {
 	border: 1px solid #666666;
 	padding: 10px;
 	font-size: 10px;
 	color: #FF3300;
-	width: 400px;
-	margin-left: 50px;
+	width: 450px;
+	margin-left: 5px;
+	margin-right: 5px;
 }
 #team_ch {
 }
 .style1_ch {
-	font-size: 10px;
+	font-size: 11px;
 	font-weight: bold;
 }
 .style2_ch {

main/project/WebContent/lesson_plans/HttpOnly.html

@@ -8,6 +8,7 @@ introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
 set, then the browser should not allow client-side script to access the
 cookie. Since the attribute is relatively new, several browsers neglect
 to handle the new attribute properly.
+<p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a>
 <p><b>General Goal(s):</b></p>
 The purpose of this lesson is to test whether your browser supports the
 HTTPOnly cookie flag. Note the value of the

main/project/WebContent/lesson_plans/TomcatSetup.html

@@ -1,12 +1,12 @@
 <!-- Start Instructions -->
 <h1>How To Configure Tomcat</h1><br><br>
 <h2>Introduction</h2>
-<p>WebGoat comes with sane default configurations for Tomcat. This page will explain the configurations
-and which further possibilities you have to configure Tomcat. This is just 
+<p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations
+and other possible configurations for Tomcat. This is just 
 a short description which should be enough in most cases. For more advanced tasks please 
 refer to the Tomcat documentation. Please note that all solutions
-are written for the standard configurations on port 80. If you use another configurations you have 
-to adjust the solution to your configurations.</p>
+are written for the standard configurations on port 80. If you use another port you have 
+to adjust the solution to your configuration.</p>
 
 <h2>The Standard Configurations</h2>
 <p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
@@ -52,7 +52,7 @@ In this example to port 8442:
 <h3>Make WebGoat Reachable From Another Client</h3>
 <p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
 	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN 
-SAVE NETWORKS!</p>
+SAFE NETWORKS!</p>
 <p>By its default configurations WebGoat is only
 reachable within the localhost. In a laboratory or a class
 there is maybe the need of having a server and a few clients. 

main/project/WebContent/webgoat_challenge.jsp

@@ -10,20 +10,22 @@ WebSession webSession = ((WebSession) session.getAttribute("websession"));
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
 <title>WebGoat V5.2</title>
-<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
+<link rel="stylesheet" href="css/webgoat_challenge.css" type="text/css" />
 </head>
 
 <body>
 
-<div id="wrap">
-<div id="top"></div>
-<div id="start">
-<p>Thank you for using WebGoat!</p>
-<p>This program is a demonstration of common web application flaws.
+<div id="wrap_ch">
+<div id="top_ch"></div>
+<div id="start_ch">
+<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
 The exercises are intended to provide hands on experience with
-application penetration testing techniques. </p><p>The WebGoat project is lead
+application penetration testing techniques. </p>
+<p>The WebGoat project is lead
 by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
-<div id="team">
+<p>Thanks to <a href="http://www.ouncelabs.com"><img align="top" height="20" width="160" border = "0" src="images/logos/ounce.jpg" alt="Ounce Labs"/></a> for supporting Bruce on the WebGoat Project.</p>
+
+<div id="team_ch">
 <table border="0" align="center" class="lessonText">
 	<tr>
 		<td width="50%">
@@ -107,7 +109,7 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
 <div align="center" class="style2">&nbsp;</div>
 <div align="center" class="style2">&nbsp;</div>
 <div align="center" class="style2">&nbsp;</div>
-<div id="warning">WARNING<br />
+<div id="warning_ch">WARNING<br />
 While running this program, your machine is extremely vulnerable to
 attack. You should disconnect from the network while using this program.
 <br />