Merge branch 'develop' of https://github.com/WebGoat/WebGoat into develop

README.MD

@@ -21,7 +21,7 @@ exercises are intended to be used by people to learn about application security
 penetration testing techniques.
 
 **WARNING 1:** *While running this program your machine will be extremely
-vulnerable to attack. You should to disconnect from the Internet while using
+vulnerable to attack. You should disconnect from the Internet while using
 this program.*  WebGoat's default configuration binds to localhost to minimize 
 the exposure.
 

webgoat-container/src/main/resources/static/css/main.css

@@ -14,7 +14,7 @@ a:link,
 a:visited {
   text-decoration: none;
   outline: none;
-  color: #e84c3d;
+  /* color: #e84c3d; */
 }
 a:hover,
 a:active {
@@ -840,12 +840,6 @@ cookie-container {
   overflow-x:hidden;
 }
   
-#sidebar {
-  /*background-color:#333;*/
-  background-color:blue;
-}
-
-  
 .sidebar-toggle {
   margin-left: -240px;
 }
@@ -876,6 +870,7 @@ cookie-container {
   -ms-transition: all 200ms ease-in;
   transition: all 200ms ease-in;
 }
+
 #menu-container ul li a span {
   display: inline-block;
 }
@@ -897,6 +892,15 @@ cookie-container {
   margin-left:8px;
 }
 
+#menu-container ul ul li.selected a {
+    color:#e84c3d
+}
+
+#menu-container ul ul li.selected a:hover {
+    color:#ddd
+}
+
+
 #menu-container ul li a i {
   width: 20px;
 }
@@ -914,9 +918,11 @@ cookie-container {
   display: block;
 }
 
+#menu-container ul li:hover,
 #menu-container ul li a:hover,
 #menu-container ul li.active > a {
-  color: #e84c3d;
+  background-color: #e84c3d;
+  color:#ddd;
 }
 
 #menu-container ul span.lesson-complete {
@@ -927,9 +933,11 @@ cookie-container {
     display:inline-block;
 }
 
+/*
 #menu-container ul li.selected, #menu-container li a.selected {
-    background-color: ##aaa;
+    background-color: #aaa;
 }
+*/
 
 #menu-container ul li.stage {
   padding-left:3px;
@@ -937,6 +945,7 @@ cookie-container {
 
 #menu-container li.selected, #menu-container a.selected {
   color:#fff;
+  /* background-color:#000; */
   font-weight:550;
 }
 

webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js

@@ -108,14 +108,15 @@ define(['jquery',
 		},
 
 		onLessonClick: function (elementId) {
-			$('#'+this.curLessonLinkId).removeClass('selected');
+			$('#'+this.curLessonLinkId).removeClass('selected').parent().removeClass('selected');
 			//update
-			$('#'+elementId).addClass('selected');
+			$('#'+elementId).addClass('selected').parent().addClass('selected');
 			this.curLessonLinkId = elementId;
 		},
 
 		expandCategory: function (id) {
 			if (id) {
+			    //this.selectedCategory = id;
 				this.accordionMenu(id);
 			}
 		},

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html

@@ -2,6 +2,13 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
+    </div>
+
     <div class="lesson-page-wrapper">
 		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here. Content will be presented via asciidocs files,

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html

@@ -1,29 +0,0 @@
-<div align="Center"> 
-<p><b>Lehrplan:</b> Http Basics </p>
- </div>
- 
-<p><b>Lehrinhalt:</b> </p>
- Diese Lektion stellt die Verst&auml;ndnis-Grundlagen f&uuml;r den Datentransport zwischen Browser und Webapplikation dar.<br>
-<div align="Left"> 
-<p>
-<b>So funktioniert HTTP:</b>
-</p>
-Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem Körper.
-Der Client initiiert eine Transaktion wie folgt:<br>
-<br>
- Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
- Als n&auml;chstes sendet der Client optionale Kopfzeilen (Header) um den Server &uuml;ber die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
- <br>
-<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
-Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
-<br>
-<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
-<!-- Start Instructions -->
-Geben Sie Ihren Namen in das Eingabefeld ein und drücken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zurückschicken. Dies stellt eine vollst&auml;ndige HTTP Transaktion dar!
-<br/><br/>
-Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Knöpfe f&uuml;r Hinweise (Hints), f&uuml;r das Anzeigen von Parametern(Parameters) oder Cookies und f&uuml;r das Anzeigen von Java-Quellcode ausprobiert werden.
-Außerdem, k&ouml;nnen Sie hier WebScarab gut ausprobieren. 
-<!-- Stop Instructions -->

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc

@@ -0,0 +1,20 @@
+
+== HTTP Proxy Overview
+
+Many times proxies are used as a way of accessing otehrwise blocked content.  A user might connect to server A, which relays content from server B
+ ... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same.
+HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
+use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
+relationship to proxies.
+
+=== Proxy Capabilities
+
+Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
+modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
+analyzing the security of a website.
+
+=== Other Uses for Proxies
+
+ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
+not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
+CI/CD with Jenkins, maven or other build processes.

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc

@@ -1,9 +1,7 @@
-= HTTP Basics : Proxy
 
 == HTTP Proxy Setup
 
-HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
+Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
-OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
 this will show you how to set up ZAP to act as a proxy on your localhost.
 
 === Setting up ZAP
@@ -27,4 +25,3 @@ image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256,
 . Click OK
 
 image::plugin_lessons/plugin/HttpProxies/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
-

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc

@@ -1,11 +1,9 @@
 == HTTP Proxy Setup: The Browser
 
-=== Point Browser at Proxy
-
 There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
 This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
 
-==== Firefox Proxy Config
+=== Firefox Proxy Config
 
 . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
 . Select _Advanced_ on the left
@@ -18,7 +16,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
 
 image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
 
-==== Chrome Proxy Config
+=== Chrome Proxy Config
 
 . Bring up Chrome's settings form the menu
 . In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
@@ -29,3 +27,13 @@ image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox
 . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
 
 image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
+
+=== Other Proxy Configuration Options
+
+If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,
+or based on URL patterns. Examples include:
+
+* FoxyProxy for Firefox
+* Proxy Switcher for Firefox
+* Toggle Proxy for Firefox
+* Still looking for suggestions for Chrome ...

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html

@@ -1,33 +0,0 @@
-<div align="Center"> 
-<p><b>Название урока:</b> Основы Http </p>
- </div>
- 
-<p><b>Тема изучения:</b> </p>
-В данном уроке представлены основы необходимые для понимания процесса передачи данных между браузером и веб-приложением.<br>
-<div align="Left"> 
-<p>
-<b>Как работает HTTP:</b>
-</p>
-Все обращения по протоколу HTTP имеют один основной формат. Кажный запрос клиента или ответ сервера состоит из трёх частей:
-строка запроса или ответа, заголовок и тело. Клиент начинает предачу данных следующим образом: <br>
-<br>
- Он соединяется с сервером и отправляет запрос для получения документа <br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
-Далее он шлёт различную информацию в разделе заголовка чтоб уведомить сервер о своей конфигурации и возможностях
-(например какие кодировки и типы документов поддерживаются клиентом).<br>
- <br>
-<ul>User-Agent: Mozilla/4.06<br />Accept: image/gif,image/jpeg, */*</ul>
-После отправки запроса и заголовков клиент может отправить дополнительные данные. Они в большинстве случаев
-предназначаются для CGI-программ использующих метод POST для принятия информации.<br>
-<p><b>Основные цели и задачи:</b> </p>
-<!-- Start Instructions -->
-Введите ваше имя в поле расположенное ниже и нажмите "Вперёд!" для отправки формы. Сервер примет ваш запрос, выстроит
-полученную строку в обратном порядке и выведет результат на экран. Данный пример иллюстрирует основы обработки данных
-полученных из HTTP-запроса.
-<br/><br/>
-Пользователю необходимо ознакомится с использованием функций WebGoat, таких как просмотр подсказок, отображение параметров HTTP-запроса, 
-отображение Cookies и исходных кодов Java. Первое время, в качестве практики, для просмотра параметров и Cookies
-запросов вы можете использовать WebScarab.
-<!-- Stop Instructions -->

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc

@@ -1,5 +0,0 @@
-= HTTP Basics 
- 
-== Solution 
-
-Solution goes here

webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html

@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
-	</div>
-
-
-</html>