dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#315 Adding UI handling and corresponding expected elements for html files for decoration. Inlucdes minor refactor

Browse Source
This commit is contained in:
Jason White 2017-01-25 11:18:24 -05:00 committed by Nanne Baars
parent dd76cb258c
commit ac16342c17
11 changed files with 361 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AttackResult.java
View File

@ -34,7 +34,7 @@ import lombok.Getter;
@Getter @Getter
public class AttackResult { public class AttackResult {
private boolean lessonCompleted; private boolean assignmentCompleted;
private String feedback; private String feedback;
private String output; private String output;
@ -48,7 +48,7 @@ public class AttackResult {
public static AttackResult success(String feedback, String output) { public static AttackResult success(String feedback, String output) {
AttackResult attackResult = new AttackResult(); AttackResult attackResult = new AttackResult();
attackResult.lessonCompleted = true; attackResult.assignmentCompleted = true;
attackResult.feedback = feedback; attackResult.feedback = feedback;
attackResult.output = output; attackResult.output = output;
return attackResult; return attackResult;
@ -60,13 +60,13 @@ public class AttackResult {
public static AttackResult failed(String feedback, String output) { public static AttackResult failed(String feedback, String output) {
AttackResult attackResult = new AttackResult(); AttackResult attackResult = new AttackResult();
attackResult.lessonCompleted = false; attackResult.assignmentCompleted = false;
attackResult.feedback = feedback; attackResult.feedback = feedback;
attackResult.output = output; attackResult.output = output;
return attackResult; return attackResult;
} }
public boolean assignmentSolved() { public boolean assignmentSolved() {
return lessonCompleted; return assignmentCompleted;
} }
} }

4
webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
View File

@ -64,8 +64,8 @@ define(['jquery',
this.listenTo(this.lessonContent,'content:loaded',this.onContentLoaded); this.listenTo(this.lessonContent,'content:loaded',this.onContentLoaded);
this.userAndInfoView = new UserAndInfoView(); this.userAndInfoView = new UserAndInfoView();
this.menuButtonView = new MenuButtonView(); this.menuButtonView = new MenuButtonView();
this.listenTo(this.lessonContentView, 'lesson:complete', this.updateMenu); this.listenTo(this.lessonContentView, 'assignment:complete', this.updateMenu);
this.listenTo(this.lessonContentView, 'lesson:complete', this.updateLessonOverview); this.listenTo(this.lessonContentView, 'assignment:complete', this.updateLessonOverview);
}; };
this.loadLesson = function(name,pageNum) { this.loadLesson = function(name,pageNum) {

17
webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
View File

@ -114,13 +114,24 @@ define(['jquery',
this.renderFeedback(data.feedback); this.renderFeedback(data.feedback);
this.renderOutput(data.output || ""); this.renderOutput(data.output || "");
if (data.lessonCompleted) { if (data.assignmentCompleted) {
this.curForm.reset(); this.markAssignmentComplete();
this.trigger('lesson:complete'); this.trigger('assignment:complete');
} else {
this.markAssignmentIncomplete();
} }
return false; return false;
}, },
markAssignmentComplete: function () {
this.curForm.reset();
$(this.curForm).siblings('.assignment-success').find('i').removeClass('hidden');
},
markAssignmentIncomplete: function () {
$(this.curForm).siblings('.assignment-success').find('i').addClass('hidden');
},
onErrorResponse: function (a,b,c) { onErrorResponse: function (a,b,c) {
console.error(a); console.error(a);
console.error(b); console.error(b);

2
webgoat-container/src/main/resources/static/js/goatApp/view/LessonProgressView.js
View File

@ -16,7 +16,7 @@ define(['jquery',
} }
}, },
render: function () { render: function () {
if (this.model.get("lessonCompleted")) { if (this.model.get("assignmentCompleted")) {
this.$el.html(this.model.get('successMessage')); this.$el.html(this.model.get('successMessage'));
} else { } else {
this.$el.html(""); this.$el.html("");

8
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
View File

@ -174,8 +174,8 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6a.adoc"></div> <div class="adoc-content" th:replace="doc:CrossSiteScripting_content6a.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -193,7 +193,6 @@
</tr> </tr>
</table> </table>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
@ -228,8 +227,9 @@
<div class="adoc-content" <div class="adoc-content"
th:replace="doc:CrossSiteScripting_content9a.adoc"></div> th:replace="doc:CrossSiteScripting_content9a.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -263,7 +263,7 @@
</tbody> </tbody>
</table> </table>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>

4
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5b.adoc Normal file
View File

@ -0,0 +1,4 @@
== Was it Really Reflected XSS?
Now, was the last attack truly reflected XSS?

3
webgoat-lessons/csrf/src/main/resources/plugin/CSRF/html/XXE.html → webgoat-lessons/csrf/src/main/resources/plugin/CSRF/html/CSRF.html
View File

@ -20,6 +20,7 @@
<div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div> <div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div>
<!-- if including attack, reuse this section, leave classes in place --> <!-- if including attack, reuse this section, leave classes in place -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -69,6 +70,7 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div> <div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -128,6 +130,7 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div> <div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->

5
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html
View File

@ -15,6 +15,7 @@
<div class="adoc-content" th:replace="doc:HttpBasics_content1.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_content1.adoc"></div>
<!-- if including attack, reuse this section, leave classes in place --> <!-- if including attack, reuse this section, leave classes in place -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -44,8 +45,8 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_content2.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_content2.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -82,8 +83,6 @@
<div class="attack-output"></div> <div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
</div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">

19
webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html
View File

@ -13,8 +13,8 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:IDOR_login.adoc"></div> <div class="adoc-content" th:replace="doc:IDOR_login.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div class="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -36,7 +36,6 @@
</tr> </tr>
</table> </table>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
@ -50,8 +49,8 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:IDOR_viewDiffs.adoc"></div> <div class="adoc-content" th:replace="doc:IDOR_viewDiffs.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -66,7 +65,6 @@
<input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" /> <input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" />
</form> </form>
</div>
<div id="idor-profile"></div> <div id="idor-profile"></div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
@ -75,8 +73,8 @@
</div> </div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div class="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -89,7 +87,6 @@
<input name="attributes" type="text" /> <input name="attributes" type="text" />
<input name="Submit Diffs" value="Submit Diffs" type="submit" /> <input name="Submit Diffs" value="Submit Diffs" type="submit" />
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
@ -104,8 +101,8 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:IDOR_viewOwnAltPath.adoc"></div> <div class="adoc-content" th:replace="doc:IDOR_viewOwnAltPath.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div class="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -119,7 +116,6 @@
<input name="url" value="WebGoat/" type="text"/> <input name="url" value="WebGoat/" type="text"/>
<input name="submit" value="Submit" type="SUBMIT"/> <input name="submit" value="Submit" type="SUBMIT"/>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
@ -133,8 +129,8 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:IDOR_viewOtherProfile.adoc"></div> <div class="adoc-content" th:replace="doc:IDOR_viewOtherProfile.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -149,7 +145,7 @@
<input name="View Profile" value="View Profile" type="submit" /> <input name="View Profile" value="View Profile" type="submit" />
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
@ -158,8 +154,8 @@
<div class="adoc-content" th:replace="doc:IDOR_editOtherProfile.adoc"></div> <div class="adoc-content" th:replace="doc:IDOR_editOtherProfile.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -174,7 +170,6 @@
<input name="View Profile" value="View Profile" type="submit" /> <input name="View Profile" value="View Profile" type="submit" />
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>

92
webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html
View File

@ -2,51 +2,52 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_plan.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_plan.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content1.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content1.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content2.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content2.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content3.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content3.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content4.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content4.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content5.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content5.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files, <!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content5a.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content5a.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -57,27 +58,26 @@
<table> <table>
<tr> <tr>
<td>Account Name:</td> <td>Account Name:</td>
<td><input name="account" value="" type="TEXT" /></td> <td><input name="account" value="" type="TEXT"/></td>
<td><input <td><input
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td> name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
</tr> </tr>
</table> </table>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files, <!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content5b.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content5b.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -88,34 +88,34 @@
<table> <table>
<tr> <tr>
<td>Name:</td> <td>Name:</td>
<td><input name="userid" value="" type="TEXT" /></td> <td><input name="userid" value="" type="TEXT"/></td>
<td><input <td><input
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td> name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
<td></td> <td></td>
</tr> </tr>
</table> </table>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files, <!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -126,22 +126,22 @@
<table> <table>
<tr> <tr>
<td>Name:</td> <td>Name:</td>
<td><input name="userid_6a" value="" type="TEXT" /></td> <td><input name="userid_6a" value="" type="TEXT"/></td>
<td><input <td><input
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td> name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
<td></td> <td></td>
</tr> </tr>
</table> </table>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -152,62 +152,62 @@
<table> <table>
<tr> <tr>
<td>Password:</td> <td>Password:</td>
<td><input name="userid_6b" value="" type="TEXT" /></td> <td><input name="userid_6b" value="" type="TEXT"/></td>
<td><input <td><input
name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td> name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
<td></td> <td></td>
</tr> </tr>
</table> </table>
</form> </form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div> <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
</div> </div>
</html> </html>

4
webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
View File

@ -20,6 +20,8 @@
<div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div> <div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div>
<!-- if including attack, reuse this section, leave classes in place --> <!-- if including attack, reuse this section, leave classes in place -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -69,6 +71,7 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div> <div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -128,6 +131,7 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div> <div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->