diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc index 94f85602e..fe54d2789 100644 --- a/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc +++ b/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc @@ -1,7 +1,7 @@ == Introducing WebWolf -You only need WebWolf if a lesson specifies you can use it. For a lot of lessons you use WebGoat without -using WebWolf. Lessons where you can use WebWolf are marked with the following icon (top right in assignment): +You only need WebWolf if a lesson specifies that you can use it. For many lessons, you use WebGoat without +using WebWolf. Lessons where you can use WebWolf, are marked with the following icon (top right in the assignment): {nbsp} @@ -9,16 +9,17 @@ image::images/wolf-enabled.png[width=115,height=128] {nbsp} -Even if the icon is present, you are not obliged to use WebWolf, you can also use any intercepting tool you like. +Even if the icon is present, you are not obliged to use WebWolf. You can also use any intercepting tool you like. (`netcat` etc.) -WebWolf opens in a new browser tab and is a separate web application which simulates an attacker's machine. It makes it possible for us to -make a clear distinction between what takes place on the attacked website and the actions you need to do as -an "attacker". WebWolf was introduced after a couple of workshops where we received feedback that there +You can always open WebWolf by clicking the icon in the top right corner. + +WebWolf opens in a new browser tab and is a separate web application that simulates an attacker's machine. It makes it possible for us to +distinguish between what takes place on the attacked website and what actions you need to take as +an "attacker." The idea for WebWolf came about after a couple of workshops where we received feedback that there was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the -website. The following items are supported in WebWolf: +website. WebWolf supports the following functionality: * Hosting a file * Receiving email * Landing page for incoming requests - diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc index 9a4099391..70948deaa 100644 --- a/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc +++ b/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc @@ -1,8 +1,8 @@ == Landing page This page will show all the requests made to '/landing/**'. This means -you can use WebWolf as your landing page for harvesting cookies etc which -is helpful when you perform a XSS lesson. +you can use WebWolf as your landing page for harvesting cookies etc. which +is helpful when you perform an XSS lesson. image::images/requests.png[caption="Figure: ", style="lesson-image"] @@ -10,16 +10,15 @@ image::images/requests.png[caption="Figure: ", style="lesson-image"] {nbsp} {nbsp} -*For this exercise you need to login to WebWolf first.* +*For this exercise, you need to log in to WebWolf first.* {nbsp} {nbsp} -Suppose we tricked a user to click on a link he/she received in an email, this link will open up our crafted +Suppose we tricked a user into clicking on a link he/she received in an email. This link will open up our crafted password reset link page. The user does not notice any differences compared to the normal password reset page of the company. -The user enters a new password and hits enter. The new password will be sent to your host. In this case the new +The user enters a new password and hits enter. The new password will be sent to your host. In this case, the new password will be sent to WebWolf. Try to locate the unique code. -Please be aware that after resetting the password the user will receive an error page. In a real attack scenario the -user would probably see a normal success page (this is due to a limit what we can control with WebWolf) +Please be aware that the user will receive an error page after resetting the password. In a real attack scenario the user would probably see a normal success page (this is due to a limit on what we can control with WebWolf) diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc index 5236be646..f5f88be35 100644 --- a/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc +++ b/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc @@ -1,7 +1,7 @@ -== Your own mailbox +== Your mailbox -WebWolf offers a mail client which will contain the e-mail sent during a lesson. -This mailbox is user specific so each user has a separate mailbox. All e-mail +WebWolf offers a mail client containing the e-mail sent during a lesson. +This mailbox is user-specific, so each user has a separate mailbox. All e-mail sent to {user}@.... will end up in this inbox. {nbsp} @@ -14,5 +14,5 @@ image::images/mailbox.png[caption="Figure: ", style="lesson-image"] {nbsp} {nbsp} -Try it, type in your e-mail address below and check your inbox in +Try it; type in your e-mail address below and check your inbox in WebWolf. Then type in the unique code from the e-mail in the field below. diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc index 2ccda9d92..dae40da76 100644 --- a/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc +++ b/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc @@ -1,12 +1,12 @@ == Uploading files -In this section you can upload files. These files will be available from outside -the application. For example if you want to reference a DTD which you -reference from an xml in an XXE attack, you can use WebWolf to serve this DTD. +In this section, you can upload files. These files will be available from outside +the application. For example, if you want to reference a DTD that you +reference from an XML in an XXE attack, you can use WebWolf to serve this DTD. image::images/files.png[caption="Figure: ", style="lesson-image"] {nbsp} -After uploading a file you can use the 'Link' to get the full URL to the uploaded +After uploading a file, you can use the 'Link' to get the full URL to the uploaded file.