From 7bb2c087a0a78c86639dd493cad058a7e4fba2f1 Mon Sep 17 00:00:00 2001 From: "rogan.dawes" <rogan.dawes@4033779f-a91e-0410-96ef-6bf7bf53c507> Date: Wed, 11 Jul 2007 12:56:26 +0000 Subject: [PATCH] Add lesson plans for the DB labs git-svn-id: http://webgoat.googlecode.com/svn/trunk@174 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../lesson_plans/DBCrossSiteScripting.html | 24 +++++++++++++++++++ .../lesson_plans/DBSQLInjection.html | 16 +++++++++++++ 2 files changed, 40 insertions(+) create mode 100755 webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html create mode 100755 webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html diff --git a/ webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html b/ webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html new file mode 100755 index 000000000..a54fd9ab9 --- /dev/null +++ b/ webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html @@ -0,0 +1,24 @@ +<div align="Center"> +<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting +(XSS)</p> +</div> +<p><b>Concept / Topic To Teach:</b></p> +<!-- Start Instructions --> +It is always a good practice to scrub all inputs, especially those +inputs that will later be used as parameters to OS commands, scripts, +and database queries. It is particularly important for content that will +be permanently stored somewhere. Users should not be able to create +message content that could cause another user to load an undesirable +page or undesirable content when the user's message is retrieved. +<br> +XSS can also occur when unvalidated user input is used in an HTTP +response. In a reflected XSS attack, an attacker can craft a URL with +the attack script and post it to another website, email it, or otherwise +get a victim to click on it. +<!-- Stop Instructions --> +<p><b>General Goal(s):</b></p> +For this exercise, you will perform a stored XSS attack. +You will also implement code changes in the database to defeat +these attacks. +<br> + diff --git a/ webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html b/ webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html new file mode 100755 index 000000000..879a1b92e --- /dev/null +++ b/ webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html @@ -0,0 +1,16 @@ +<div align="Center"> +<p><b>Lesson Plan Title:</b> How to Perform SQL Injection</p> +</div> +<p><b>Concept / Topic To Teach:</b></p> +<!-- Start Instructions --> +It is always a good practice to scrub all inputs, especially those +inputs that will later be used as parameters to OS commands, scripts, +and database queries. Users should not be able to alter the intent of +commands that are executed on the server, in many cases as a privileged user. +<!-- Stop Instructions --> +<p><b>General Goal(s):</b></p> +For this exercise, you will perform a SQL Injection attack. +You will also implement code changes in the database to defeat +these attacks. +<br> +