Add a new lesson "How to add a new lesson" under new category "New Lessons"

Modified the existing lessons to present the solution in the last hint

git-svn-id: http://webgoat.googlecode.com/svn/trunk@31 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -104,6 +104,8 @@ public abstract class AbstractLesson extends Screen implements Comparable
 	 */
 	public final static Category WEB_SERVICES = new Category( "Web Services", new Integer( 1110 ) );
 	
+	public final static Category NEW_LESSON = new Category ( "New Lessons" , new Integer ( 1210 ) );
+
 	public final static Category ADMIN_FUNCTIONS = new Category( "Admin Functions", new Integer( 10 ) );
 
 	public final static Category GENERAL = new Category( "General", new Integer( 50 ) );
@@ -160,6 +162,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
 		categories.add(A9);
 		categories.add(A10);
 		categories.add(WEB_SERVICES);
+		categories.add(NEW_LESSON);
 		categories.add(ADMIN_FUNCTIONS);
 		categories.add(GENERAL);
 		categories.add(CODE_QUALITY);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java

@@ -89,8 +89,8 @@ public class CSRF extends LessonAdapter {
 	protected List getHints() {
 		List<String> hints = new ArrayList<String>();
 		hints.add( "Enter some text and try to include an image in there." );
-		hints.add( "The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");		
 		hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." );
+		hints.add( "The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");		
 
 		return hints;
 	}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java

@@ -67,7 +67,7 @@ public class ForcedBrowsing extends LessonAdapter
 		hints.add( "Try to guess the URL for the config page" );
 		hints.add( "The config page is guessable and hackable" );
 		hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." );
-		
+		hints.add( "Try to navigate to http://localhost:8080/WebGoat/config" );
 		return hints;
 	}
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java

@@ -95,7 +95,7 @@ public class HttpSplitting extends LessonAdapter {
 		hints.add( "Use CR (%0d) and LF (%0a) for a new line" );
 		hints.add( "The Content-Length: 0 will tell the server that the first request is over." );
 		hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" );
-
+		hints.add( "Try French%0d%0aContent-Length: 0%0d%0aHTTP/1.1 200 OK" );
 		return hints;
 	
 	}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java

@@ -11,10 +11,10 @@ import org.owasp.webgoat.session.WebSession;
  *  under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
  *  this software.
  *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @author     Sherif Koussa <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created    October 28, 2003
  */
-public class ParameterInjection extends LessonAdapter
+public class NewLesson extends LessonAdapter
 {
 	/**
 	 *  Description of the Method
@@ -25,22 +25,20 @@ public class ParameterInjection extends LessonAdapter
 	protected Element createContent( WebSession s )
 	{
 		// just to get the generic how to text.
-		return super.createContent(s);
+		makeSuccess(s);
+		return( new StringElement( "Welcome to the WebGoat hall of fame !!" ) );
 	}
 	/**
-	 *  Gets the category attribute of the CommandInjection object
+	 *  Gets the category attribute of the NEW_LESSON object
 	 *
 	 * @return    The category value
 	 */
 	protected Category getDefaultCategory()
 	{
-		return AbstractLesson.A6;
+		return AbstractLesson.NEW_LESSON;
 	}
 
-
+	private final static Integer DEFAULT_RANKING = new Integer(10);
-
-
-	private final static Integer DEFAULT_RANKING = new Integer(40);
 
 	protected Integer getDefaultRanking()
 	{
@@ -54,12 +52,12 @@ public class ParameterInjection extends LessonAdapter
 	 */
 	public String getTitle()
 	{
-		return ( "How to Perform Parameter Injection" );
+		return ( "How to add a new WebGoat lesson" );
 	}
 
 	public Element getCredits()
 	{
-		return new StringElement("This screen created by: Your name could go here");
+		return new StringElement("This screen created by: Sherif Koussa");
 	}
 }
 

webgoat/main/project/WebContent/WEB-INF/webgoat-class.properties

@@ -44,6 +44,9 @@ lesson.SoapRequest.ranking=10
 lesson.WSDLScanning.ranking=20
 lesson.WsSqlInjection.ranking=30
 
+category.New\ Lesson.category.ranking=111
+lesson.HowToAddNewLesson.ranking=10
+
 lesson.WeakSessionID.hidden=true
 lesson.BufferOverflow.hidden=true
 lesson.BlindSqlInjection.hidden=true

webgoat/main/project/WebContent/WEB-INF/webgoat-lmc.properties

@@ -41,6 +41,9 @@ lesson.SoapRequest.ranking=10
 lesson.WSDLScanning.ranking=20
 lesson.WsSqlInjection.ranking=30
 
+category.New\ Lesson.category.ranking=111
+lesson.HowToAddNewLesson.ranking=10
+
 lesson.WeakSessionID.hidden=true
 lesson.BufferOverflow.hidden=true
 lesson.BlindSqlInjection.hidden=true

webgoat/main/project/WebContent/lesson_plans/NewLesson.html

@@ -0,0 +1,25 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> How to Add a New WebGoat Lesson </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+Adding lessons to WebGoat is very easy. If you have an idea that would be suitable<br> 
+for a new lesson, follow these few simple instructions:<br><br>
+* Download the source code from <a href="http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824">here.</a><br><br>
+* Setup framework: follow the simple instructions in "HOW TO create the WebGoat workspace.txt" that comes with the project.<br><br>
+* You need to add two files for each class: <br>
+&nbsp;&nbsp;- YourLesson.java to org.owasp.webgoat.lessons<br>
+&nbsp;&nbsp;- YourLesson.html to WebContent/lesson_plans<br><br>
+* YourLesson class implmenet LessonAdapter and override the following methods:<br>
+&nbsp;- createContent: Use the <a href="http://jakarta.apache.org/site/downloads/downloads_ecs.cgi">ECS package</a> to develop HTML presented to the user.<br>
+&nbsp;- getCategory: Returns the category for which this lesson belongs (XSS, Injection flaws..etc)<br>
+&nbsp;- getHints: List of hints you would like to pass on to the users to point them to right direction.<br>
+&nbsp;- getTitle: The title for your new lesson.<br>
+&nbsp;- getCredits: Your name goes here.<br><br>
+
+<!-- Stop Instructions -->
+<br>
+ 
+<p><b>General Goal(s):</b> </p>
+ The user should be able to learn how to add a new lesson.  

webgoat/main/project/WebContent/lesson_plans/ParameterInjection.html

@@ -1,16 +0,0 @@
-<div align="Center"> 
-<p><b>Lesson Plan Title:</b> How to Perform Parameter Injection </p>
- </div>
- 
-<p><b>Concept / Topic To Teach:</b> </p>
-<!-- Start Instructions -->
-Parameter&nbsp; injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack. <br>
-<br>
- Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.<br>
-<br>
- It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br>
- <!-- Stop Instructions -->
-<br>
- 
-<p><b>General Goal(s):</b> </p>
- The user should be able to execute any command on the hosting OS.