diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java index 011db1b97..3365d5b90 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java @@ -103,6 +103,8 @@ public abstract class AbstractLesson extends Screen implements Comparable * Description of the Field */ public final static Category WEB_SERVICES = new Category( "Web Services", new Integer( 1110 ) ); + + public final static Category NEW_LESSON = new Category ( "New Lessons" , new Integer ( 1210 ) ); public final static Category ADMIN_FUNCTIONS = new Category( "Admin Functions", new Integer( 10 ) ); @@ -160,6 +162,7 @@ public abstract class AbstractLesson extends Screen implements Comparable categories.add(A9); categories.add(A10); categories.add(WEB_SERVICES); + categories.add(NEW_LESSON); categories.add(ADMIN_FUNCTIONS); categories.add(GENERAL); categories.add(CODE_QUALITY); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java index 0d81fca09..25832dd8d 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java @@ -89,8 +89,8 @@ public class CSRF extends LessonAdapter { protected List getHints() { List hints = new ArrayList(); hints.add( "Enter some text and try to include an image in there." ); - hints.add( "The format of an image in html is 
<img src=\"[URL]\" width=\"1\" height=\"1\" />
"); hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); + hints.add( "The format of an image in html is 
<img src=\"[URL]\" width=\"1\" height=\"1\" />
"); return hints; } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java index f8e3b4be1..5bbe60c05 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java @@ -67,7 +67,7 @@ public class ForcedBrowsing extends LessonAdapter hints.add( "Try to guess the URL for the config page" ); hints.add( "The config page is guessable and hackable" ); hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." ); - + hints.add( "Try to navigate to http://localhost:8080/WebGoat/config" ); return hints; } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java index 61b5137de..16da20dbe 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java @@ -95,7 +95,7 @@ public class HttpSplitting extends LessonAdapter { hints.add( "Use CR (%0d) and LF (%0a) for a new line" ); hints.add( "The Content-Length: 0 will tell the server that the first request is over." ); hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" ); - + hints.add( "Try French%0d%0aContent-Length: 0%0d%0aHTTP/1.1 200 OK" ); return hints; } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java similarity index 66% rename from webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java rename to webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java index b3e63102e..28b4a0d7e 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java @@ -11,10 +11,10 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Bruce Mayhew WebGoat + * @author Sherif Koussa WebGoat * @created October 28, 2003 */ -public class ParameterInjection extends LessonAdapter +public class NewLesson extends LessonAdapter { /** * Description of the Method @@ -25,22 +25,20 @@ public class ParameterInjection extends LessonAdapter protected Element createContent( WebSession s ) { // just to get the generic how to text. - return super.createContent(s); + makeSuccess(s); + return( new StringElement( "Welcome to the WebGoat hall of fame !!" ) ); } /** - * Gets the category attribute of the CommandInjection object + * Gets the category attribute of the NEW_LESSON object * * @return The category value */ protected Category getDefaultCategory() { - return AbstractLesson.A6; + return AbstractLesson.NEW_LESSON; } - - - - private final static Integer DEFAULT_RANKING = new Integer(40); + private final static Integer DEFAULT_RANKING = new Integer(10); protected Integer getDefaultRanking() { @@ -54,12 +52,12 @@ public class ParameterInjection extends LessonAdapter */ public String getTitle() { - return ( "How to Perform Parameter Injection" ); + return ( "How to add a new WebGoat lesson" ); } public Element getCredits() { - return new StringElement("This screen created by: Your name could go here"); + return new StringElement("This screen created by: Sherif Koussa"); } } diff --git a/ webgoat/main/project/WebContent/WEB-INF/webgoat-class.properties b/ webgoat/main/project/WebContent/WEB-INF/webgoat-class.properties index dd4748d5c..e8de6a179 100644 --- a/ webgoat/main/project/WebContent/WEB-INF/webgoat-class.properties +++ b/ webgoat/main/project/WebContent/WEB-INF/webgoat-class.properties @@ -44,6 +44,9 @@ lesson.SoapRequest.ranking=10 lesson.WSDLScanning.ranking=20 lesson.WsSqlInjection.ranking=30 +category.New\ Lesson.category.ranking=111 +lesson.HowToAddNewLesson.ranking=10 + lesson.WeakSessionID.hidden=true lesson.BufferOverflow.hidden=true lesson.BlindSqlInjection.hidden=true diff --git a/ webgoat/main/project/WebContent/WEB-INF/webgoat-lmc.properties b/ webgoat/main/project/WebContent/WEB-INF/webgoat-lmc.properties index 8874724db..95adfcacc 100644 --- a/ webgoat/main/project/WebContent/WEB-INF/webgoat-lmc.properties +++ b/ webgoat/main/project/WebContent/WEB-INF/webgoat-lmc.properties @@ -41,6 +41,9 @@ lesson.SoapRequest.ranking=10 lesson.WSDLScanning.ranking=20 lesson.WsSqlInjection.ranking=30 +category.New\ Lesson.category.ranking=111 +lesson.HowToAddNewLesson.ranking=10 + lesson.WeakSessionID.hidden=true lesson.BufferOverflow.hidden=true lesson.BlindSqlInjection.hidden=true diff --git a/ webgoat/main/project/WebContent/lesson_plans/NewLesson.html b/ webgoat/main/project/WebContent/lesson_plans/NewLesson.html new file mode 100644 index 000000000..77d608f15 --- /dev/null +++ b/ webgoat/main/project/WebContent/lesson_plans/NewLesson.html @@ -0,0 +1,25 @@ +
+

Lesson Plan Title: How to Add a New WebGoat Lesson

+
+ +

Concept / Topic To Teach:

+ +Adding lessons to WebGoat is very easy. If you have an idea that would be suitable
+for a new lesson, follow these few simple instructions:

+* Download the source code from here.

+* Setup framework: follow the simple instructions in "HOW TO create the WebGoat workspace.txt" that comes with the project.

+* You need to add two files for each class:
+  - YourLesson.java to org.owasp.webgoat.lessons
+  - YourLesson.html to WebContent/lesson_plans

+* YourLesson class implmenet LessonAdapter and override the following methods:
+ - createContent: Use the ECS package to develop HTML presented to the user.
+ - getCategory: Returns the category for which this lesson belongs (XSS, Injection flaws..etc)
+ - getHints: List of hints you would like to pass on to the users to point them to right direction.
+ - getTitle: The title for your new lesson.
+ - getCredits: Your name goes here.

+ + +
+ +

General Goal(s):

+ The user should be able to learn how to add a new lesson. diff --git a/ webgoat/main/project/WebContent/lesson_plans/ParameterInjection.html b/ webgoat/main/project/WebContent/lesson_plans/ParameterInjection.html deleted file mode 100644 index e26ee947e..000000000 --- a/ webgoat/main/project/WebContent/lesson_plans/ParameterInjection.html +++ /dev/null @@ -1,16 +0,0 @@ -
-

Lesson Plan Title: How to Perform Parameter Injection

-
- -

Concept / Topic To Teach:

- -Parameter  injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.
-
- Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.
-
- It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.
- -
- -

General Goal(s):

- The user should be able to execute any command on the hosting OS. \ No newline at end of file