Refactored files to Maven standard Layout

Added plugin to produce executable jar. Now it is easy to run webgoat on all platforms.
2014-08-23 13:07:10 -04:00
parent 5b2a849322
commit a387d06a34
1261 changed files with 22 additions and 11 deletions
--- a/src/main/webapp/lesson_plans/English/HttpOnly.html
+++ b/src/main/webapp/lesson_plans/English/HttpOnly.html
@ -0,0 +1,26 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> HttpOnly Test</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+To help mitigate the cross site scripting threat, Microsoft has
+introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
+set, then the browser should not allow client-side script to access the
+cookie. Since the attribute is relatively new, several browsers neglect
+to handle the new attribute properly.
+<p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a>
+<p><b>General Goal(s):</b></p>
+The purpose of this lesson is to test whether your browser supports the
+HTTPOnly cookie flag. Note the value of the
+<strong>unique2u</strong>
+cookie. If your browser supports HTTPOnly, and you enable it for a
+cookie, client side code should NOT be able to read OR write to that
+cookie, but the browser can still send its value to the server. Some
+browsers only prevent client side read access, but don't prevent write
+access.
+<br />
+<br />
+With the HTTPOnly attribute turned on, type
+"javascript:alert(document.cookie)" in the browser address bar. Notice
+all cookies are displayed except the unique2u cookie.
+<!-- Stop Instructions -->