diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
new file mode 100644
index 000000000..203d5ec35
--- /dev/null
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
@@ -0,0 +1,196 @@
+package org.owasp.webgoat.lessons;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.List;
+import java.sql.Statement;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.H2;
+import org.apache.ecs.html.PRE;
+import org.apache.ecs.html.Span;
+import org.apache.ecs.html.Div;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.BR;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.WebSession;
+
+public class BackDoors extends LessonAdapter {
+
+ private static Connection connection = null;
+ private final static Integer DEFAULT_RANKING = new Integer(80);
+ private final static String USERNAME = "username";
+
+ protected Element createContent( WebSession s )
+ {
+ return super.createStagedContent(s);
+ }
+
+ protected Element doStage1( WebSession s ) throws Exception
+ {
+ return concept1( s );
+ }
+
+ protected Element doStage2( WebSession s ) throws Exception
+ {
+ return concept2( s);
+ }
+
+
+ protected Element concept1( WebSession s) throws Exception
+ {
+ ElementContainer ec = new ElementContainer();
+
+ ec.addElement( makeUsername(s));
+
+ try
+ {
+ String userInput = s.getParser().getRawParameter(USERNAME, "");
+ if (!userInput.equals(""))
+ {
+ String[] arrSQL = userInput.split(";");
+ if (arrSQL.length == 2)
+ {
+ Connection conn = getConnection(s);
+ Statement statement = conn.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+ statement.executeUpdate( arrSQL[1] );
+
+ makeSuccess(s);
+ getLessonTracker(s).setStage(2);
+ s.setMessage("You have succeeded in exploiting the vulnerable query and created another SQL statement. Now move to stage 2 to learn how to create a backdoor or a DB worm");
+ }
+ }
+ }
+ catch(Exception ex)
+ {
+ ec.addElement( new PRE(ex.getMessage()) );
+ }
+ return ec;
+ }
+
+ protected Element concept2( WebSession s) throws Exception
+ {
+ ElementContainer ec = new ElementContainer();
+ ec.addElement(makeUsername(s));
+
+ String userInput = s.getParser().getRawParameter(USERNAME, "");
+
+ if (!userInput.equals(""))
+ {
+ String[] arrSQL = userInput.split(";");
+ if (arrSQL.length == 2)
+ {
+ if ( userInput.toUpperCase().indexOf("CREATE TRIGGER") != 0)
+ {
+ makeSuccess(s);
+ }
+ }
+
+ }
+ return ec;
+ }
+
+ public String getInstructions(WebSession s)
+ {
+ String instructions = "";
+
+ if (!getLessonTracker(s).getCompleted())
+ {
+ switch (getStage(s))
+ {
+ case 1:
+ instructions = "Stage " + getStage(s) + ": Use String SQL Injection to execute more than one SQL Statement. ";
+ instructions = instructions + " The first stage of this lesson is to teach you how to use a vulnerable field to create two SQL ";
+ instructions = instructions + " statements. The first is the system's while the second is totally yours.";
+ instructions = instructions + " Try to enter something in the email field and it will get updated in the rectangle below,";
+ instructions = instructions + " to see the actual SQL statement that will be executed. Try to execute an update statement";
+ break;
+ case 2:
+ instructions = "Stage " + getStage(s) + ": Use String SQL Injection to inject a backdoor. " ;
+ instructions = instructions + " The second stage of this lesson is to teach you how to use a vulneable fields to inject the DB work or the backdoor." ;
+ instructions = instructions + " Now try to use the same technique to inject a trigger that would act as " ;
+ instructions = instructions + " SQL backdoor, the syntax of a trigger is:
";
+ instructions = instructions + " CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com'WHERE userid = NEW.userid
";
+ instructions = instructions + " Note that nothing will actually be executed because the current underlying DB doesn't support triggers.";
+ break;
+ }
+ }
+
+ return instructions;
+ }
+ protected Element makeUsername(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+ StringBuffer script = new StringBuffer();
+ script.append( "" );
+ ec.addElement( new StringElement(script.toString()));
+
+ ec.addElement( new StringElement( "Username: " ) ) ;
+ Input username = new Input( Input.TEXT, "username", "" );
+ ec.addElement( username );
+
+ String userInput = s.getParser().getRawParameter("username" , "");
+
+ ec.addElement(new BR());
+ ec.addElement(new BR());
+
+ String formattedInput = "" + userInput + "";
+ ec.addElement( new Div("select userid, ssn, salary from employee where login=" + formattedInput ));
+
+ Input b = new Input();
+
+ b.setName("Submit");
+ b.setType(Input.SUBMIT);
+ b.setValue("Submit");
+
+ ec.addElement(new PRE( b ) );
+
+ return ec;
+ }
+
+ public static synchronized Connection getConnection(WebSession s)
+ throws SQLException, ClassNotFoundException
+ {
+ if ( connection == null )
+ {
+ connection = DatabaseUtilities.makeConnection( s );
+ }
+
+ return connection;
+ }
+
+ public Element getCredits() {
+ return new StringElement("Created by Sherif Koussa");
+ }
+
+ protected List getHints() {
+ return super.getHints();
+ }
+
+ protected Category getDefaultCategory()
+ {
+ return AbstractLesson.A6;
+ }
+
+ protected Integer getDefaultRanking()
+ {
+ return DEFAULT_RANKING;
+ }
+
+ public String getTitle()
+ {
+ return ( "How to Use Database Backdoors " );
+ }
+}
diff --git a/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html
new file mode 100644
index 000000000..1547c9100
--- /dev/null
+++ b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html
@@ -0,0 +1,21 @@
+
+
Lesson Plan Title: How to Create Database Back Door Attacks.
+
Concept / Topic To Teach:
+How to Create Database Back Door Attacks.
+
+
+
+How the attacks works:
+
+Database are used usually as a backend for web applications. Also it is used as a media of storage. It can also
+be used as a place to store a malacious activity such as a trigger. A trigger is called by the database management
+system upon the execution of another database operation like insert, select, update or delete. An attacker for example
+can create a trigger that would set his email address instead of every new user's email address.
+
General Goal(s):
+
+* Your goal should be to learn how you can exploit a vulnerable query to create a trigger.
+* You will not be able to actually create one in this lesson because the underlying database engine used with WebGoat doesn't support triggers.
+
diff --git a/ webgoat/main/project/WebContent/lesson_plans/CSRF.html b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html
index c0400f79b..3edf661fd 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/CSRF.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html
@@ -1,5 +1,5 @@
-
Lesson Plan Title: Cross Site Request Forgery.
+
Lesson Plan Title: How to Perform Cross Site Request Forgery.
Concept / Topic To Teach:
diff --git a/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html b/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html
index 2d03e8738..3428c2e93 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/DOMInjection.html
@@ -1,5 +1,5 @@
-
Lesson Plan Title:DOM Injection.
+
Lesson Plan Title: How to Perform DOM Injection Attack.
Concept / Topic To Teach:
diff --git a/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html b/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html
index 927b631ca..2bf4fa6a4 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html
@@ -1,5 +1,5 @@
-
Lesson Plan Title:Forced Browsing.
+
Lesson Plan Title: How to Perform Forced Browsing Attacks.
Concept / Topic To Teach:
diff --git a/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html b/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html
index fd29eac68..2f2e9d68a 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html
@@ -1,5 +1,5 @@
-
Lesson Plan Title: Http Splitting
+
Lesson Plan Title: How to Perform Http Splitting
Concept / Topic To Teach:
diff --git a/ webgoat/main/project/WebContent/lesson_plans/LogSpoofing.html b/ webgoat/main/project/WebContent/lesson_plans/LogSpoofing.html
index 40343c168..dfd3cdc3d 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/LogSpoofing.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/LogSpoofing.html
@@ -1,5 +1,5 @@
-
Lesson Plan Title: Log Spoofing.
+
Lesson Plan Title: How to Perform Log Spoofing.
Concept / Topic To Teach:
diff --git a/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html b/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html
index ab272d1b7..6733ca4a1 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html
@@ -1,5 +1,5 @@
-
Lesson Plan Title: XML Injection Attacks.
+
Lesson Plan Title: How to Perform XML Injection Attacks.
Concept / Topic To Teach:
diff --git a/ webgoat/main/project/WebContent/lesson_plans/XPATHInjection.html b/ webgoat/main/project/WebContent/lesson_plans/XPATHInjection.html
index 49d95643c..926d8f151 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/XPATHInjection.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/XPATHInjection.html
@@ -1,5 +1,5 @@
-
Lesson Plan Title: XPATH Injection Attacks.
+
Lesson Plan Title: How to Perform XPATH Injection Attacks.
Concept / Topic To Teach: