diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
index 64eb4ee9f..36aef5b28 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
@@ -156,37 +156,38 @@ public class CrossSiteScripting extends GoatHillsFinancial
if (STAGE1.equals(stage))
{
instructions = "Execute a Stored Cross Site Scripting (XSS) attack.
"
- + "For this exercise, your mission is to cause the application to serve a script of your making "
- + " to some other user.";
+ + "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page. "
+ + "Verify that 'Jerry' is affected by the attack.";
}
else if (STAGE2.equals(stage))
{
instructions = "Block Stored XSS using Input Validation.
"
- + "You will modify the application to perform input validation on the vulnerable input field "
- + "you just exploited.";
+ + "Implement a fix to block the stored XSS before it can be written to the database. "
+ + "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
}
else if (STAGE3.equals(stage))
{
instructions = "Execute a previously Stored Cross Site Scripting (XSS) attack.
"
- + "The application is still vulnerable to scripts in the database. Trigger a pre-stored "
- + "script by logging in as employee 'David' and viewing Bruce's profile.";
+ + "The 'Bruce' employee profile is pre-loaded with a stored XSS attack. "
+ + "Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
}
else if (STAGE4.equals(stage))
{
instructions = "Block Stored XSS using Output Encoding.
"
- + "Encode data served from the database to the client so that any scripts are rendered harmless.";
+ + "Implement a fix to block XSS after it is read from the database. "
+ + "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
}
else if (STAGE5.equals(stage))
{
instructions = "Execute a Reflected XSS attack.
"
- + "Your goal here is to craft a link containing a script which the application will "
- + "serve right back to any client that activates the link.";
+ + "Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack. "
+ + "Verify that another employee using the link is affected by the attack.";
}
else if (STAGE6.equals(stage))
{
instructions = "Block Reflected XSS using Input Validation.
"
- + "Use the input validation techniques learned ealier in this lesson to close the vulnerability "
- + "you just exploited.";
+ + "Implement a fix to block this reflected XSS attack. "
+ + "Repeat step 5. Verify that the attack URL is no longer effective.";
}
}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
index 3c3b6f7a7..5f5b99e62 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
@@ -140,29 +140,26 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
String stage = getStage(s);
if (STAGE1.equals(stage))
{
- instructions = "Breaking functional access control.
"
- + "You should be able to login as a regular employee and delete another user's employee "
- + "profile, even though that is supposed to be an HR-only function.";
+ instructions = "Bypass Presentational Layer Access Control.
"
+ + "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. "
+ + "Verify that Tom's profile can be deleted.";
}
else if (STAGE2.equals(stage))
{
- instructions = "Implementing access control in the Business Layer
"
- + "Access control has already been implemented in the Presentation Layer, but as we have just "
- + "seen, this is not enough. Implement access control in the Businesss Layer to verify "
- + "authorization to use the Delete function before actually executing it.";
+ instructions = "Add Business Layer Access Control.
"
+ + "Implement a fix to deny unauthorized access to the Delete function. "
+ + "Repeat stage 1. Verify that access to Delete is properly denied.";
}
else if (STAGE3.equals(stage))
{
- instructions = "Breaking data access control.
"
- + "Data Layer access control is being already done on the staff list, but it has not been "
- + "globally implemented. Take advantage of this to login as a regular employee and view the "
- + "CEO's employee profile.";
+ instructions = "Breaking Data Layer Access Control.
"
+ + "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
}
else if (STAGE4.equals(stage))
{
- instructions = "Implementing access control in the Data Layer.
"
- + "Implement Data Layer access control to prevent unauthorized (and potentially career threatening) "
- + "access to employee personal data.";
+ instructions = "Add Data Layer Access Control.
"
+ + "Implement a fix to deny unauthorized access to this data. "
+ + "Repeat stage 3. Verify that access to other employee's profiles is properly denied.";
}
}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
index a176fa6ae..6adf47fc8 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
@@ -149,29 +149,26 @@ public class SQLInjection extends GoatHillsFinancial
if (STAGE1.equals(stage))
{
instructions = "Use String SQL Injection to bypass authentication. "
- + "The goal here is to login as the user "
- + PRIZE_EMPLOYEE_NAME
- + ", who is in the Admin group. "
- + "You do not have the password, but the form is SQL injectable.";
+ + "Use SQL injection to log in as the boss ('Neville') without using the correct password. "
+ + "Verify that Neville’s profile can be viewed and that all functions are available (including Search, Create, and Delete).";
}
else if (STAGE2.equals(stage))
{
- instructions = "Use a parameterized query.
"
- + "A dynamic SQL query is not necessary for the login function to work. Change login "
- + "to use a parameterized query to protect against malicious SQL in the query parameters.";
+ instructions = "Block SQL Injection using a Parameterized Query.
"
+ + "Implement a fix to block SQL injection into the fields in question on the Login page. "
+ + "Repeat stage 1. Verify that the attack is no longer effective.";
}
else if (STAGE3.equals(stage))
{
- instructions = "Use Integer SQL Injection to bypass access control.
"
- + "The goal here is to view the CEO's employee profile, again, even with data access "
- + "control checks in place from a previous lesson. "
- + "As before, you do not have the password, but the form is SQL injectable.";
+ instructions = "Execute SQL Injection to bypass authorization.
"
+ + "As regular employee 'Larry', use SQL injection into a parameter of the View function "
+ + "(from the List Staff page) to view the profile of the boss ('Neville').";
}
else if (STAGE4.equals(stage))
{
- instructions = "Use a parameterized query again.
"
- + "Change the ViewProfile function to use a parameterized query to protect against "
- + "malicious SQL in the numeric query parameter.";
+ instructions = "Block SQL Injection using a Parameterized Query.
"
+ + "Implement a fix to block SQL injection into the relevant parameter. "
+ + "Repeat stage 3. Verify that access to Neville’s profile is properly blocked.";
}
}