XSS lesson updates

2017-02-17 13:05:54 -05:00
parent af8f8c27a6
commit 7f532f0ffc
24 changed files with 402 additions and 479 deletions
--- a/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html
+++ b/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html
@ -0,0 +1,51 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
+	</div>
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
+    </div>
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
+	</div>
+
+    <div class="lesson-page-wrapper">
+        <!-- stripped down without extra comments -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
+                  method="POST"
+                  action="/WebGoat/HttpBasics/intercept-request"
+                  enctype="application/json;charset=UTF-8">
+
+                <input type="text" value="doesn't matter really" name="changeMe" />
+                <input type="submit" value="Submit" />
+
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+</html>
--- a/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc
+++ b/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc
@ -0,0 +1,20 @@
+
+== HTTP Proxy Overview
+
+Many times proxies are used as a way of accessing otehrwise blocked content.  A user might connect to server A, which relays content from server B
+ ... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same.
+HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
+use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
+relationship to proxies.
+
+=== Proxy Capabilities
+
+Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
+modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
+analyzing the security of a website.
+
+=== Other Uses for Proxies
+
+ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
+not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
+CI/CD with Jenkins, maven or other build processes.
--- a/webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
@ -0,0 +1,4 @@
+http-proxies.title=HTTP Proxies
+
+http-proxies.intercept.success=Well done, you tampered the request as expected
+http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!