Add lesson plans for the DB labs

git-svn-id: http://webgoat.googlecode.com/svn/trunk@174 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html

@@ -0,0 +1,24 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting
+(XSS)</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+It is always a good practice to scrub all inputs, especially those
+inputs that will later be used as parameters to OS commands, scripts,
+and database queries. It is particularly important for content that will
+be permanently stored somewhere. Users should not be able to create
+message content that could cause another user to load an undesirable
+page or undesirable content when the user's message is retrieved.
+<br>
+XSS can also occur when unvalidated user input is used in an HTTP
+response. In a reflected XSS attack, an attacker can craft a URL with
+the attack script and post it to another website, email it, or otherwise
+get a victim to click on it.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b></p>
+For this exercise, you will perform a stored XSS attack.
+You will also implement code changes in the database to defeat
+these attacks.
+<br>
+

webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html

@@ -0,0 +1,16 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> How to Perform SQL Injection</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+It is always a good practice to scrub all inputs, especially those
+inputs that will later be used as parameters to OS commands, scripts,
+and database queries. Users should not be able to alter the intent of
+commands that are executed on the server, in many cases as a privileged user.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b></p>
+For this exercise, you will perform a SQL Injection attack.
+You will also implement code changes in the database to defeat
+these attacks.
+<br>
+