From a90d292239284c00bb7882b0ce46be965d7755e6 Mon Sep 17 00:00:00 2001 From: esheri3 Date: Mon, 22 Jan 2007 18:10:06 +0000 Subject: [PATCH] Fixed spelling mistakes. git-svn-id: http://webgoat.googlecode.com/svn/trunk@64 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../main/project/WebContent/lesson_plans/BackDoors.html | 5 +++-- .../WebContent/lesson_plans/BasicAuthentication.html | 3 ++- .../project/WebContent/lesson_plans/BlindSqlInjection.html | 4 ++-- webgoat/main/project/WebContent/lesson_plans/CSRF.html | 3 ++- .../project/WebContent/lesson_plans/CrossSiteScripting.html | 3 ++- .../main/project/WebContent/lesson_plans/DOMInjection.html | 3 ++- .../WebContent/lesson_plans/HiddenFieldTampering.html | 4 ++-- .../main/project/WebContent/lesson_plans/HtmlClues.html | 4 ++-- .../main/project/WebContent/lesson_plans/JSONInjection.html | 5 +++-- .../WebContent/lesson_plans/JavaScriptValidation.html | 4 ++-- .../project/WebContent/lesson_plans/RemoteAdminFlaw.html | 6 +++--- .../WebContent/lesson_plans/SqlNumericInjection.html | 4 ++-- .../project/WebContent/lesson_plans/SqlStringInjection.html | 4 ++-- .../main/project/WebContent/lesson_plans/StoredXss.html | 4 ++-- webgoat/main/project/WebContent/lesson_plans/TraceXSS.html | 4 ++-- .../project/WebContent/lesson_plans/UncheckedEmail.html | 4 ++-- .../WebContent/lesson_plans/WeakAuthenticationCookie.html | 4 ++-- .../project/WebContent/lesson_plans/WsSAXInjection.html | 4 ++-- .../project/WebContent/lesson_plans/WsSqlInjection.html | 4 ++-- .../main/project/WebContent/lesson_plans/XMLInjection.html | 5 +++-- 20 files changed, 44 insertions(+), 37 deletions(-) diff --git a/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html index aaa8d439a..c4ac8a08a 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html +++ b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html @@ -9,8 +9,8 @@ How to Create Database Back Door Attacks.

How the attacks works:

-Database are used usually as a backend for web applications. Also it is used as a media of storage. It can also -be used as a place to store a malacious activity such as a trigger. A trigger is called by the database management +Databases are used usually as a backend for web applications. Also it is used as a media of storage. It can also +be used as a place to store a malicious activity such as a trigger. A trigger is called by the database management system upon the execution of another database operation like insert, select, update or delete. An attacker for example can create a trigger that would set his email address instead of every new user's email address. @@ -20,3 +20,4 @@ can create a trigger that would set his email address instead of every new user' * You will not be able to actually create one in this lesson because the underlying database engine used with WebGoat doesn't support triggers.
* Your login ID is 101. + diff --git a/ webgoat/main/project/WebContent/lesson_plans/BasicAuthentication.html b/ webgoat/main/project/WebContent/lesson_plans/BasicAuthentication.html index a656eefb5..3d1af4778 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/BasicAuthentication.html +++ b/ webgoat/main/project/WebContent/lesson_plans/BasicAuthentication.html @@ -3,7 +3,8 @@

Concept / Topic To Teach:

-Basic Authentication is used to protect server side resources. The web server will send a 401 authentication request with the response for the requested resource. The client side browser will then prompt the user for a user name and password using a browser supplied dialog box. The browser will base64 encode the user name and password and sendthose credentials back to the web server. The web server will then validate the credentials and return the requested resource if the credentials are correct. These credentials are automatically resent for each page protected with this mechanism without requiring the user to enter their credentials again.
+Basic Authentication is used to protect server side resources. The web server will send a 401 authentication request with the response for the requested resource. The client side browser will then prompt the user for a user name and password using a browser supplied dialog box. The browser will base64 encode the user name and password and send those credentials back to the web server. The web server will then validate the credentials and return the requested resource if the credentials are correct. These credentials are automatically resent for each page protected with this mechanism without requiring the user to enter their credentials again.

General Goal(s):

For this lesson, your goal is to understand Basic Authentication and answer the questions below. + diff --git a/ webgoat/main/project/WebContent/lesson_plans/BlindSqlInjection.html b/ webgoat/main/project/WebContent/lesson_plans/BlindSqlInjection.html index 8284e4dbc..0ff76e32e 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/BlindSqlInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/BlindSqlInjection.html @@ -8,8 +8,8 @@ SQL injection attacks represent a serious threat to any database-driven site. Th
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.

-It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries.
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.

General Goal(s):

-The form below allows a user to enter an account number and determine if it is valid or not. Use this form to develop a true / false test check other entries in the database.

Reference Ascii Values: 'A' = 65 'Z' = 90 'a' = 97 'z' = 122

The goal is to find the value of the first_name in table user_data for userid 15613. Put that name in the form to pass the lesson. \ No newline at end of file +The form below allows a user to enter an account number and determine if it is valid or not. Use this form to develop a true / false test check other entries in the database.

Reference Ascii Values: 'A' = 65 'Z' = 90 'a' = 97 'z' = 122

The goal is to find the value of the first_name in table user_data for userid 15613. Put that name in the form to pass the lesson. diff --git a/ webgoat/main/project/WebContent/lesson_plans/CSRF.html b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html index 924227083..6e751b649 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/CSRF.html +++ b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html @@ -21,5 +21,6 @@ In this way, the attacker can make the victim perform actions that they didn't i

General Goal(s):

-Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malacious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu, right click on the left hand menu and choose copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transfered. When you think the attack is successfull, refresh the page and you will find the green check on the left hand side menu. +Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu, right click on the left hand menu and choose copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu. + diff --git a/ webgoat/main/project/WebContent/lesson_plans/CrossSiteScripting.html b/ webgoat/main/project/WebContent/lesson_plans/CrossSiteScripting.html index 760f2eb93..1d2848f3c 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/CrossSiteScripting.html +++ b/ webgoat/main/project/WebContent/lesson_plans/CrossSiteScripting.html @@ -3,9 +3,10 @@

Concept / Topic To Teach:

-It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved.
+It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.

General Goal(s):

For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks.
+ diff --git a/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html b/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html index 7287be2e2..19c19ee0b 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html @@ -16,7 +16,8 @@ javascript commands to exploit his attacks.

General Goal(s):

-* Your victim is a system that takes an activatation key to allow you to use it.
+* Your victim is a system that takes an activation key to allow you to use it.
* Your goal should be to try to get to enable the activate button.
* Take some time to see the HTML source in order to understand how the key validation process works.
+ diff --git a/ webgoat/main/project/WebContent/lesson_plans/HiddenFieldTampering.html b/ webgoat/main/project/WebContent/lesson_plans/HiddenFieldTampering.html index 630712226..65a641fda 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/HiddenFieldTampering.html +++ b/ webgoat/main/project/WebContent/lesson_plans/HiddenFieldTampering.html @@ -3,7 +3,7 @@

Concept / Topic To Teach:

-Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convienent and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified
+Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified

General Goal(s):

-The user should be able to exploit a hidden field to obtain a product at an incorrect price. \ No newline at end of file +The user should be able to exploit a hidden field to obtain a product at an incorrect price. diff --git a/ webgoat/main/project/WebContent/lesson_plans/HtmlClues.html b/ webgoat/main/project/WebContent/lesson_plans/HtmlClues.html index 4e1c619c9..f3aa39f39 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/HtmlClues.html +++ b/ webgoat/main/project/WebContent/lesson_plans/HtmlClues.html @@ -4,8 +4,8 @@

Concept / Topic To Teach:

- Developers are notorious for leaving statements like FIXME's, Code Broken, Hack, etc... inside the source code.  Review the source code for any comments denoting  passowrds, backdoors, or something doesn't work right.  + Developers are notorious for leaving statements like FIXME's, Code Broken, Hack, etc... inside the source code.  Review the source code for any comments denoting  passwords, backdoors, or something doesn't work right. 

General Goal(s):

- The user should be able to bypass the authentication check. \ No newline at end of file + The user should be able to bypass the authentication check. diff --git a/ webgoat/main/project/WebContent/lesson_plans/JSONInjection.html b/ webgoat/main/project/WebContent/lesson_plans/JSONInjection.html index 7a1e08e40..945dfb47e 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/JSONInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/JSONInjection.html @@ -11,13 +11,14 @@ This lesson teaches how to perform JSON Injection Attacks.

JavaScript Object Notation (JSON) is a simple and effective lightweight data exchange format. JSON can be in a lot of forms such as arrays, lists, hashtables and other data structures. JSON is widely used in AJAX and Web2.0 application and is favored by programmers over XML because of its ease of use and speed. -However, JSON, like XML is prone to Injection attacks. A malacious attackers can inject the reply from the server and inject some aribtrary values in there. +However, JSON, like XML is prone to Injection attacks. A malicious attacker can inject the reply from the server and inject some arbitrary values in there.

General Goal(s):

-* You are travelling from Boston, MA- Airport code BOS to Seattle, WA - Airport code SEA.
+* You are traveling from Boston, MA- Airport code BOS to Seattle, WA - Airport code SEA.
* Once you enter the three digits code of the airport, an AJAX request will be executed asking for the tickets price.
* You will notice that there are two flights available, an expensive one with no stops and another cheaper one with 2 stops.
* Your goal is to try to get the one with no stops but for a cheaper price. + diff --git a/ webgoat/main/project/WebContent/lesson_plans/JavaScriptValidation.html b/ webgoat/main/project/WebContent/lesson_plans/JavaScriptValidation.html index 738575cc8..5ea803d95 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/JavaScriptValidation.html +++ b/ webgoat/main/project/WebContent/lesson_plans/JavaScriptValidation.html @@ -3,8 +3,8 @@

Concept / Topic To Teach:

-Client-side validation should not be considered a secure means of validating parameters. These validation only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelyhood of insecure parameter values being used in the application. +Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application.

General Goal(s):

-For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting.
\ No newline at end of file +For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting.
diff --git a/ webgoat/main/project/WebContent/lesson_plans/RemoteAdminFlaw.html b/ webgoat/main/project/WebContent/lesson_plans/RemoteAdminFlaw.html index 207248adf..e852cbcba 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/RemoteAdminFlaw.html +++ b/ webgoat/main/project/WebContent/lesson_plans/RemoteAdminFlaw.html @@ -2,10 +2,10 @@

Lesson Plan Title: How to Force Browser Web Resources

Concept / Topic To Teach:

-Applications will often have an adminstrative interface that allows privileged users access to functionality that normal users shouldn't see. The application server will often have an admin interface as well. -

Standards Addressed:

+Applications will often have an administrative interface that allows privileged users access to functionality that normal users shouldn't see. The application server will often have an admin interface as well. +

Standards Addressed :

General Goal(s): Try to access the administrative interface for WebGoat. You may also try to access the administrative interface for Tomcat. The Tomcat admin interface can be accessed via a URL (/admin) and will not count towards the completion of this lesson. -

\ No newline at end of file +

diff --git a/ webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html b/ webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html index 6aae8f89d..4b6c33184 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html @@ -8,7 +8,7 @@ SQL injection attacks represent a serious threat to any database-driven site. Th
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.

-It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries.
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.

General Goal(s):

The form below allows a user to view weather data. Try to inject an SQL string that results in all the weather data being displayed. - \ No newline at end of file + diff --git a/ webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html b/ webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html index 8c8f9e5b6..542563590 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html @@ -8,7 +8,7 @@ SQL injection attacks represent a serious threat to any database-driven site. Th
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.

-It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries.
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.

General Goal(s):

The form below allows a user to view their credit card numbers. Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of 'Smith'. - \ No newline at end of file + diff --git a/ webgoat/main/project/WebContent/lesson_plans/StoredXss.html b/ webgoat/main/project/WebContent/lesson_plans/StoredXss.html index 4160adcfd..f03b3f690 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/StoredXss.html +++ b/ webgoat/main/project/WebContent/lesson_plans/StoredXss.html @@ -3,7 +3,7 @@

Concept / Topic To Teach:

-It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved. +It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.

General Goal(s):

-The user should be able to add message content that cause another user to load an undesireable page or content. \ No newline at end of file +The user should be able to add message content that cause another user to load an undesirable page or content. diff --git a/ webgoat/main/project/WebContent/lesson_plans/TraceXSS.html b/ webgoat/main/project/WebContent/lesson_plans/TraceXSS.html index c1aaed9d3..6371eef38 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/TraceXSS.html +++ b/ webgoat/main/project/WebContent/lesson_plans/TraceXSS.html @@ -3,7 +3,7 @@

Concept / Topic To Teach:

-It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved. +It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.

General Goal(s):

Tomcat is configured to support the HTTP TRACE command. Your goal is to perform a Cross Site Trace (XST) attack. - \ No newline at end of file + diff --git a/ webgoat/main/project/WebContent/lesson_plans/UncheckedEmail.html b/ webgoat/main/project/WebContent/lesson_plans/UncheckedEmail.html index 2cd2e82db..db3c630e9 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/UncheckedEmail.html +++ b/ webgoat/main/project/WebContent/lesson_plans/UncheckedEmail.html @@ -3,7 +3,7 @@

Concept / Topic To Teach:

-It is always a good practice to validate all inputs. Most sites allow a non-authenticated users to send email to a 'friend'. This is a great mechanisms for spammers to send out email using your corporate mail server. +It is always a good practice to validate all inputs. Most sites allow non-authenticated users to send email to a 'friend'. This is a great mechanism for spammers to send out email using your corporate mail server.

General Goal(s):

-The user should be able to send and obnoxious email message. \ No newline at end of file +The user should be able to send and obnoxious email message. diff --git a/ webgoat/main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html b/ webgoat/main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html index 1787686c4..9dad07df8 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html +++ b/ webgoat/main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html @@ -4,7 +4,7 @@

Concept / Topic To Teach:

-Many applications will automatically log a user into their site if the right authentication cookie is specified.   Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained.  Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability.  Some times the cookies maybe intercepted using Ccross site scripting.  This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.
+Many applications will automatically log a user into their site if the right authentication cookie is specified.   Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained.  Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability.  Some times the cookies maybe intercepted using Cross site scripting.  This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.

General Goal(s):

- The user should be able to bypass the authentication check. \ No newline at end of file + The user should be able to bypass the authentication check. diff --git a/ webgoat/main/project/WebContent/lesson_plans/WsSAXInjection.html b/ webgoat/main/project/WebContent/lesson_plans/WsSAXInjection.html index 60232826e..2a8967289 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/WsSAXInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/WsSAXInjection.html @@ -5,5 +5,5 @@ Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function listed in the web service definition language (WSDL).

General Goal(s):

-Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends.
In this exercise, try to change the password for a user other than 101. - \ No newline at end of file +Some web interfaces make use of Web Services in the background. If the front-end relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends.
In this exercise, try to change the password for a user other than 101. + diff --git a/ webgoat/main/project/WebContent/lesson_plans/WsSqlInjection.html b/ webgoat/main/project/WebContent/lesson_plans/WsSqlInjection.html index 352540f48..aec97d1a6 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/WsSqlInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/WsSqlInjection.html @@ -5,5 +5,5 @@ Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function listed in the web service definition language (WSDL).

General Goal(s):

-Check the web service description language (WSDL) and try to obtain multiple customer credit card numbers. You will not see the results returned to this screen. When you believe you have suceeded, refresh the page and look for the 'green star' - \ No newline at end of file +Check the web service description language (WSDL) and try to obtain multiple customers credit card numbers. You will not see the results returned to this screen. When you believe you have succeeded, refresh the page and look for the 'green star' + diff --git a/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html b/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html index 7012f3b1f..c29bf643e 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html +++ b/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html @@ -9,10 +9,11 @@

How the attacks works:

-AJAX applications use XML to exchange information with the server. This XML can be easily intercepted and altered by a malacious attacker. +AJAX applications use XML to exchange information with the server. This XML can be easily intercepted and altered by a malicious attacker.

General Goal(s):

-WebGoat-Miles Reward Miles shows all the rewards available. Once, you enter your account ID, it will show you your balance and the ones that you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239. +WebGoat-Miles Reward Miles shows all the rewards available. Once you’ve entered your account ID, the lesson will show you your balance and the products you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239. +