From 7bb2c087a0a78c86639dd493cad058a7e4fba2f1 Mon Sep 17 00:00:00 2001
From: "rogan.dawes" <rogan.dawes@4033779f-a91e-0410-96ef-6bf7bf53c507>
Date: Wed, 11 Jul 2007 12:56:26 +0000
Subject: [PATCH] Add lesson plans for the DB labs

git-svn-id: http://webgoat.googlecode.com/svn/trunk@174 4033779f-a91e-0410-96ef-6bf7bf53c507
---
 .../lesson_plans/DBCrossSiteScripting.html    | 24 +++++++++++++++++++
 .../lesson_plans/DBSQLInjection.html          | 16 +++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100755  webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html
 create mode 100755  webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html

diff --git a/ webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html b/ webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html
new file mode 100755
index 000000000..a54fd9ab9
--- /dev/null
+++ b/ webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html	
@@ -0,0 +1,24 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting
+(XSS)</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+It is always a good practice to scrub all inputs, especially those
+inputs that will later be used as parameters to OS commands, scripts,
+and database queries. It is particularly important for content that will
+be permanently stored somewhere. Users should not be able to create
+message content that could cause another user to load an undesirable
+page or undesirable content when the user's message is retrieved.
+<br>
+XSS can also occur when unvalidated user input is used in an HTTP
+response. In a reflected XSS attack, an attacker can craft a URL with
+the attack script and post it to another website, email it, or otherwise
+get a victim to click on it.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b></p>
+For this exercise, you will perform a stored XSS attack.
+You will also implement code changes in the database to defeat
+these attacks.
+<br>
+
diff --git a/ webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html b/ webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html
new file mode 100755
index 000000000..879a1b92e
--- /dev/null
+++ b/ webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html	
@@ -0,0 +1,16 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> How to Perform SQL Injection</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+It is always a good practice to scrub all inputs, especially those
+inputs that will later be used as parameters to OS commands, scripts,
+and database queries. Users should not be able to alter the intent of
+commands that are executed on the server, in many cases as a privileged user.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b></p>
+For this exercise, you will perform a SQL Injection attack.
+You will also implement code changes in the database to defeat
+these attacks.
+<br>
+