From b048988d2fbd166ff8b6530b60d0638f95db93bd Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 13 Jun 2017 03:22:19 +0200
Subject: [PATCH] Changed layout of the html tampering lesson and fixed some
 JavaScript issues. Added a small mitigation page. Moved the lessons
 concerning client side validation to client side category

---
 .../org/owasp/webgoat/lessons/Category.java   |   2 +-
 .../webgoat/plugin/BypassRestrictions.java    |   2 +-
 .../webgoat/plugin/ClientSideFiltering.java   |   2 +-
 .../owasp/webgoat/plugin/HtmlTampering.java   |   2 +-
 .../webgoat/plugin/HtmlTamperingTask.java     |   3 +-
 .../main/resources/html/HtmlTampering.html    | 220 +++++++++++-------
 .../resources/i18n/WebGoatLabels.properties   |   4 +
 .../src/main/resources/images/samsung.jpg     | Bin 0 -> 3547 bytes
 .../lessonPlans/en/HtmlTampering_Intro.adoc   |   1 +
 .../en/HtmlTampering_Mitigation.adoc          |  14 ++
 .../lessonPlans/en/HtmlTampering_Task.adoc    |   2 +-
 11 files changed, 165 insertions(+), 87 deletions(-)
 create mode 100644 webgoat-lessons/html-tampering/src/main/resources/images/samsung.jpg
 create mode 100755 webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
index 6c3a5833b..7d47892ab 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
@@ -52,7 +52,7 @@ public enum Category {
     INSECURE_CONFIGURATION("Insecure Configuration", new Integer(1400)),
     INSECURE_STORAGE("Insecure Storage", new Integer(1500)),
     MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)),
-    PARAMETER_TAMPERING("Parameter Tampering", new Integer(1700)),
+    CLIENT_SIDE("Client side", new Integer(1700)),
     SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)),
     WEB_SERVICES("Web Services", new Integer(1900)),
     VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(1950)),
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictions.java
index 5f74cea57..21e522a22 100755
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictions.java
+++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictions.java
@@ -38,7 +38,7 @@ import java.util.List;
 public class BypassRestrictions extends NewLesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.PARAMETER_TAMPERING;
+        return Category.CLIENT_SIDE;
     }
 
     @Override
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java
index feff55a0f..98a7c4172 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java
@@ -39,7 +39,7 @@ public class ClientSideFiltering extends NewLesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.AJAX_SECURITY;
+        return Category.CLIENT_SIDE;
     }
 
     @Override
diff --git a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java
index 86223963c..a03dddd1b 100755
--- a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java
+++ b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java
@@ -38,7 +38,7 @@ import java.util.List;
 public class HtmlTampering extends NewLesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.PARAMETER_TAMPERING;
+        return Category.CLIENT_SIDE;
     }
 
     @Override
diff --git a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
index a89ba294a..2f62612c0 100755
--- a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
+++ b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
@@ -1,6 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -8,7 +9,6 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 /**
@@ -45,6 +45,7 @@ import java.io.IOException;
  * @created October 28, 2003
  */
 @AssignmentPath("/HtmlTampering/task")
+@AssignmentHints({ "hint1", "hint2", "hint3"})
 public class HtmlTamperingTask extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)
diff --git a/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html b/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
index 552fc8e1b..b21ba255a 100755
--- a/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
+++ b/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
@@ -2,90 +2,148 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
-    <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:HtmlTampering_Intro.adoc"></div>
-    </div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:HtmlTampering_Intro.adoc"></div>
+</div>
 
-    <div class="lesson-page-wrapper">
-        <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:HtmlTampering_Task.adoc"></div>
-        <div class="attack-container">
-            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-            <form class="attack-form" accept-charset="UNKNOWN" name="task"
-                  method="POST"
-                  action="/WebGoat/HtmlTampering/task"
-                  enctype="application/json;charset=UTF-8">
-                <script>
-                    let regex=/^2999.99$/
-                    let price = 2999.99
-                    document.getElementById("total").innerHTML =  '$' + price.toString()
-                    document.task.Total.value = price * document.task.QTY.value
+<div class="lesson-page-wrapper">
+    <!-- stripped down without extra comments -->
+    <div class="adoc-content" th:replace="doc:HtmlTampering_Task.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
+              method="POST"
+              action="/WebGoat/HtmlTampering/task"
+              enctype="application/json;charset=UTF-8">
+            <script>
+                var regex = /^2999.99$/;
+                var price = 2999.99;
+                document.getElementById("total").innerHTML = '$' + price.toString();
+                var total = price * document.task.QTY.value;
+                document.getElementById("total").innerHTML = '$' + total;
+                document.getElementById("subtotal").innerHTML = '$' + total;
+                document.getElementById("totalAmount").innerHTML = '$' + total;
 
-                    $('#task').submit(function() {
-                      if (!regex.test(price.toString())) {
-                          alert('Data tampering is disallowed')
-                          price = 2999.99
-                          return false
-                      }
-                      else {
-                        return true
-                      }
-                    })
+                $('#remove').click(function () {
+                    document.getElementById("QTY").value = 1;
+                    update();
+                });
 
-                    function update() {
-                      let total = price * document.task.QTY.value
-                      document.getElementById("total").innerHTML = total.toString()
-                      document.task.Total.value = total
+                $("#QTY").on('change keydown paste input blur', function () {
+                    update();
+                });
+
+                function update() {
+                    price = $('#price').text();
+                    if (!regex.test(price.toString())) {
+                        alert('Data tampering is disallowed');
+                        document.getElementById("price").innerHTML = 2999.99;
+                        update();
                     }
-                </script>
-                <center>
-                    <h1>Shopping Cart </h1>
-                </center>
-                <br />
-                <table align="center" cellspacing="0" width="90%" border="1" cellpadding="2">
-                    <tbody>
-                        <tr>
-                            <th width="80%">Shopping Cart Items  To Buy Now</th>
-                            <th width="10%">Price</th>
-                            <th width="3%">Quantity</th>
-                            <th width="7%">Total</th>
-                        </tr>
-                        <tr>
-                            <td>56 inch HDTV (model KTV-551)</td>
-                            <td align="right">2999.99</td>
-                            <td align="right">
-                                <input size="6" value="1" name="QTY" type="TEXT" id="QTY"/>
-                            </td>
-                            <td id="total"></td>
-                        </tr>
-                    </tbody>
-                </table>
-                <br />
-                <table align="center" cellspacing="0" width="90%" border="0" cellpadding="2">
-                    <tbody>
-                        <tr>
-                            <td>The total charged to your credit card:</td>
-                            <td>$2999,99</td>
-                            <td>
-                                <input name="UPDATE" type="button" value="UpdateCart" onclick="update()"/>
-                            </td>
-                            <td>
-                                <input value="Purchase" name="SUBMIT" type="submit" />
-                            </td>
-                        </tr>
-                    </tbody>
-                </table>
-                <input name="Total" type="HIDDEN" value="2999.99" />
-                <br />
-
-
-            </form>
-            <br></br>
-            <div class="attack-feedback"></div>
-            <div class="attack-output"></div>
-        </div>
+                    var total = price * document.task.QTY.value;
+                    $('#total').text('$' + total.toFixed(2));
+                    $('#subtotal').text('$' + total.toFixed(2));
+                    $('#totalAmount').text('$' + total.toFixed(2));
+                    $('#Total').val(total.toFixed(2));
+                }
+            </script>
+            <div class="container-fluid">
+                <div class="row">
+                    <div class="col-sm-12 col-md-10 col-md-offset-1">
+                        <table class="table table-hover">
+                            <thead>
+                            <tr>
+                                <th>Product</th>
+                                <th>Quantity</th>
+                                <th class="text-center">Price</th>
+                                <th class="text-center">Total</th>
+                                <th> </th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            <tr>
+                                <td class="col-sm-8 col-md-6">
+                                    <div class="media">
+                                        <a class="thumbnail pull-left" href="#"> <img class="media-object"
+                                                                                      th:src="@{/images/samsung.jpg}"
+                                                                                      style="width: 72px; height: 72px;"></img>
+                                        </a>
+                                        <div class="media-body">
+                                            <h4 class="media-heading"><a href="#">55'' M5510 White Full HD Smart TV</a>
+                                            </h4>
+                                            <h5 class="media-heading"> by <a href="#">Samsung</a></h5>
+                                            <span>Status: </span><span
+                                                class="text-success"><strong>In Stock</strong></span>
+                                        </div>
+                                    </div>
+                                </td>
+                                <td>
+                                    <input size="2" value="1" name="QTY" type="TEXT" id="QTY"/>
+                                </td>
+                                <td class="col-sm-1 col-md-1 text-center"><strong><span
+                                        id="price">2999.99</span></strong></td>
+                                <td class="col-sm-1 col-md-1 text-center"><strong><span
+                                        id="total">$2999.99</span></strong></td>
+                                <td class="col-sm-1 col-md-1">
+                                    <button type="submit" id="remove" class="btn btn-danger">
+                                        <span class="glyphicon glyphicon-remove" onclick="clear()"></span> Remove
+                                    </button>
+                                </td>
+                            </tr>
+                            <tr>
+                                <td>  </td>
+                                <td>  </td>
+                                <td>  </td>
+                                <td><h5>Subtotal</h5></td>
+                                <td class="text-right"><h5><strong><span id="subtotal">$2999.99</span></strong></h5>
+                                </td>
+                            </tr>
+                            <tr>
+                                <td>  </td>
+                                <td>  </td>
+                                <td>  </td>
+                                <td><h5>Shipping costs</h5></td>
+                                <td class="text-right"><h5><strong>$0.00</strong></h5>
+                                </td>
+                            </tr>
+                            <tr>
+                                <td>  </td>
+                                <td>  </td>
+                                <td>  </td>
+                                <td><h3>Total</h3></td>
+                                <td class="text-right"><h3><strong><span id="totalAmount">$2999.99</span></strong></h3>
+                                </td>
+                            </tr>
+                            <tr>
+                                <td>  </td>
+                                <td>  </td>
+                                <td>  </td>
+                                <td>
+                                    <button type="button" class="btn btn-default">
+                                        <span class="glyphicon glyphicon-shopping-cart"></span> Continue Shopping
+                                    </button>
+                                </td>
+                                <td>
+                                    <div id="checkout">
+                                        <button type="submit" class="btn btn-success">
+                                            Checkout <span class="glyphicon glyphicon-play"></span>
+                                        </button>
+                                    </div>
+                                </td>
+                                <input id="Total" name="Total" type="HIDDEN" value="2999.99"/>
+                            </tr>
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+        </form>
+        <br/><br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
     </div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:HtmlTampering_Mitigation.adoc"></div>
+</div>
 </html>
diff --git a/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties
index 8084fcf71..24ae7a2ed 100755
--- a/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties
@@ -3,3 +3,7 @@ html-tampering.title=HTML tampering
 
 html-tampering.tamper.success=Well done, you just bought a TV at a discount
 html-tampering.tamper.failure=This is too expensive... You need to buy at a cheaper cost!
+
+hint1=Try to change the number of items and see what is happening
+hint2=Is the price part of the HTML request?
+hint3=Intercept the request and manipulate the price before submitting it.
diff --git a/webgoat-lessons/html-tampering/src/main/resources/images/samsung.jpg b/webgoat-lessons/html-tampering/src/main/resources/images/samsung.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..dd15a64cf98c3b29fcc31b5ddc06af62f914286f
GIT binary patch
literal 3547
zcmbtWXIPWT7XDHofRrR4RUy=bDnvR9gb<M41Qu~Ynk*fHG!+y?=?jD+D7H|gcQ#0`
zp($0Qsem9L(ov+W+~DrL-v4{P`SHy&bLN>d?|aUBjwg<10l0y#zAgX)fdD<)2OLiW
z+9$JrWhaOHs{>A)kJ|wR13&;mARq()Mt~p)&~Ycg4*(!27y<%*8ibC45efr=>6vKj
zoF}e7*G~RG;NvNPndSn9L*TS21ppw06F>H_1iN<LfAYDkT_5Q{iWf0XKSf*5@p@-5
z{3R^{1JKWCQ16A$&d$d0rfevZq;h$1z?r1F2nTjm#$-v00M`+PG%^N&kiPav1tSo0
zeXC=S>ua*ED)s@u$FSlD+3l`^3w?ECq>(pk=~GwvdM2S!Vp7Jjc1G0|$?xQusTtgZ
z;5%!O$tMYcSe?WR5D`5b6#=18Dky~sice|bU}zVngFya2Vh|WY2c?HGAlTtZ4ir{i
zP)Jse79ayHY!Dsz%gmqOlg66kOFXidDAIWZ4<!kmGp^-jK~UGSlBGVhxy=)s55AZ2
z4uYL38<G}A??2eIER~#I4C)+H+WgY=>BuORGS0J}WP6U16m8f2K~kL>_OQD=W5&Mb
z3K4y<E9>yOVjyYD-teYlv69;BRh>O}d7FSX6Vji#d)R)3vMpQ_Jdk7Jflssu{1oaL
zYMIXYOIop=7+cu5@a9|cG+#9FP}IwL#%m-Qd5T=%x2Ag5FiomtCecfc#UxLKL03{*
zl=AR0Yi#Ys)~X>_bp{4!hx=4t>*Q2Z-U~?BDTkFQel=~XTgV#NvBIcMIazs#Utd(1
z_EfwymVhDu551NdfPf3)emo8Y1kwcIt)H;V*ej;ec1s~>EQi7velm&1GPqU*7%3=g
zPHIER;T(yT!*f{j=GG5?@QME{SxGA+U#q0!oX7YzmybMb+wb1Mv&c`f41&5pSp+~g
zbmx~DS8iyach7>xR&G3J@aN6$dCZ$9#r%2w_4Q%)%~DIJCRmzFPNK03(sQNiKuLml
zWAi=jIyg9urVuDS^b{TA-ywiO5GWl2phpU_bD-p~=5Q@XB1{Nx;pBfUAc9nVS~xPL
zQdCy{4mrDKc;p}a={3QV9hRk%21_OZi-(ggVrjKDvCx%m*Jg17en132U9%HGDY(Z)
zD%a@`(pF4JryP#HRBf-1G$wnPW{<>W$1d+CI&{Vx3-0$jj=ajus#D8)(57JEPX#?!
zy&W@mR8=K1{@Ea3d{Ii?d3&ees!f8x!*jRoBE(X779jE6r6N)ng+C=X%hYdOZD3&e
zpa<hjXDkshYSe9<7vkf-(zhQpsnOq9rT1C};pEJ$+tilZ*#fP_b&d{+oE!C7!WJL7
zB<@wI=Z|Iti9ID1aLo-9n@VR7{Oz7A=KXp9I(?r;PY$!u2fDjPPHDRGFGTufSjO4R
zZX1_FeSSp?`Fe??ACdffFy=bzfgfM03!22ouWhgmlh*Jz`vok$_@95zvWLah{M8`v
z-R^Dq01>UzYhp5(@o_Bcdk|TDF{wz=WMOKPaC0R@NV~!Kw5ZXQi6$=1iUQ3s(Wk2(
z?C)$2a$MFY<C9`6xkHqLv+YF{vk2bd=u;a4#C&a$`M~jMQ>iYAx)fucJ8E?^Rg$(O
zzE<<fvX8KGjUKlw7v`=~h{60rH_HUKd2`C;muT_p_u)J>ys1^ekA6$l&(n&{D2~>G
zhn;n2CN;Sa#FRBy^m>JMjmNp>jxmc6F5iiQb6egyTP=uhudy;(ZY(ux81~MSc+sof
zK4;=0$EN6P@*>eLX!z0i20p`<WAL|*)iZ^$k+>#HV(Xw#hg0mWZCs>u-fzVGEXC+8
z6S=0<`8amxSbw9>BZLd@dS~#@ii^df(%M_=>@Ru{eHu9D(Q%nsZW5G2LVFPPbnx$N
zbV{nJ(eJP52P*wh(%2eZ^hG+-tRDGw#^)}p(fVh1RVEFyE|X`Kf&~`wnfu-tW$-K~
zK`aJeI2E6A<Q;qYw0($oGP<wNqr)R0U%`uLt|TU59qV-up@!^(M=-aiYy8#bM`}?C
z)C;?G*49NiJDl*GAciSTZa|h%8-GD_Mc~xa&KuV<4Q^xaHWCO1gy(mrL{(U==j!yU
zt(LsU-_nK;pWk%Ubm<G)n7p=3%PlmVR{B9;Iyw;WPk8_#1OYiMILe%~=}3$q56{U~
zw*9w+Y6>p4XiJ$Jow9tG8C$-cguj$;oHLSoc-1hCsKrj{E~F3{ND+ma*|s<3f&)}@
zWjyoN7Ur>t+QccD8zDTAA3x2ey%ENXfK9TH)PO>bk;DlO=_0P6M_c)EyYbzjl;H1N
zKCYM<+eyAs5wnu?Pj!+K-B#XV*U@O1mAZ1~a1N6Glc~e&t>@Y&d*(XLQO+B%Ded7K
zvwVxu#{l+P_}DI6PDE=(1^n?%c1fK!M6+$<*v|B|ig&HYfQ{*^GfdcaLsRifes(Uz
zRKJR}t|dO+?il4P9)GxUs!DjRc&JS>2a1ny!?Fm3!AWzGN!2!<whHnSdmL?^y^3xx
zxK58%a$9W=&G!b{e#&Qk>bY1`KlX7<l8=x+3wN60Yg8<JCRdqSVzkL^tv!^j%3fiF
zlEp>BwBkAk9pu-NMj7w*vkN_|Fyvhrigz5X3Dr(sC%eZe&=+$D;QGC1Aa&AKGMsqW
z5L|-+i-kF}iU{!VPv8?6W@BVpE->%24P4e>+Yx~6uqo{@9RmWHnwptxnweZl16XE)
z<w3}88d5*h{0Eveef(jO?kNDkVFvJk0C+eMLu(QMD3S&-08P=uT@!anVT6Y;pa6XU
zjDyiQfjKGvbTGP~y#lTL3(9G2niC^P<jOX<tmE(;>Zf$Tzl+b>-JjWgK)IG!myKn_
zboT4t{CzreH{lrIHytds(iq6#u~QQmad{heuBPKFO7iw_Ojp3IdiIgurMaHo-(%KZ
zn*Vbm3L%#v+gC6n5sDOFP%{!9ah)3s+=?XY@D_>3V=R)-psz2I+}aM$4?$<Ma>T3L
z1#k;os6I2mzV=enFlV;EvHRS?#s${CQ>q$cE~Xz(*o~m+J_rV-3EV$@4+tR#2x^%V
zNn|+6aWkT_4JSMIKMjL_#}r=>*qL0$2pUc%xL@8F5e^#Z_54cMakq-ftt`>dQcC^Q
zYNMgAqNg;{W5@n{A*ClnL`D7E5$gqN!hv)LnluBRb6U-dFAS8awicHP_OILzOH7<^
zP8#%E+mlrAYkm-HI(NP|ph0rI1(q{kR(k18bJNV&+kjiX)c1plU&~v<hMpT*q!}i7
zlH}YTo}VjIJMwl%ndmEXzwoENtaLh0Ik2@^J;gs(u88z2%H}PJGPJX)k&+%hWZPKG
zoaetd%g1MH5j9w4cMNobp*&1{0q{bZ3gXTBmwlc_;MpOW@4hDx|493j-s!(x!QW}`
zNP`$oB5$H9+va44|5kU}6KcYb2#{n<iYJ`h1MhjdC}&Xm3j2E5!X=EWL?^{&_Z}J4
znbP^}t`c~v0tu?Njg1n*x)GfG+6MkOblI&v!&s~q_Rt5!-Am8I*p|&Ht-z-2=!+N1
zD*)Fy!QWV~?zeSdc_l3GNo8Y1ml5lz-4tKheyV1gBiZ?Al1^R<^D2*13XZvIQB+i{
zQN-J<M9tmVJM8L^4xy!WS%FZZjuB@pn$T4uu{Ihu-c+9;jPvHnO&R~N?^QdX=;5`Z
zDezeRSF4*#;rri41vl1PsLg7QmDni@po*ZyjI~@aZBEws%fC_nns}Mt^4gVjzI;bF
zKCKBM%6odLV}O$T^wzh!3G{&JmyI(e+echiZa)&F7>xLuHhja5I-aIvy>P=+iK3F#
zQhL1HD@3kz-0{;V^wV{rrhRt4#mbP^xg7@bEDW?QY(*wURNCkr(gebu5Z{|C{`Ix3
zT*Oq>Dc?0WGGr;IaGV%@5G^XBs*sLt{QWB{C!1A4oTT$CeJK7}RFUsWf=!4Iyq$C3
zAnGv!i;ZH9;NMDiYUdq~WQhk%n9hfDpcan-`?sMg4BDF&>PV#Q?pv2klz^Kgv|`vY
z&Wy5&1C`@gJ<jg?0kI%TM5r(GPP0v&uV?X_HQkFrVP8Ag*-KN_MC{z|6K$fG)5oce
zia0wM(}TBKdJ-(sADFZ+sqZ-3+NaA?mJQEgEsYhK>GXEP=nYcNzDU-suJ`oQu@Qz~
z`0--OnB8AFUj<m0TcC`Da$@R*o~hlXl^xSI!fN2zif6daz7Os(cXlOb8H`y*3arbn
z7A78bfmj%SSq%qP*jMC|qdJX8%Or%0vz~12g_dF8*uRSGZ8l*MRZ#t+-=C^xXmUH+
z2YXqtX6#@q4zJW?+N^kws=a<|G+qmiz8J}#ETJ0ae$RR@Cp&92GnR^6U)?J+^vbDf
JsUAI^{10Jk$_@Yk

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc
index d2dd4b243..998433314 100755
--- a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc
+++ b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc
@@ -2,6 +2,7 @@
 == Concept
 Browsers generally offer many options of editing the displayed content. Developers
 therefore must be aware that the values sent by the user may have been tampered with.
+
 == Goals
 * The user should have a basic understanding of HTML
 * The user will be able to exploit editing front end of website
diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc
new file mode 100755
index 000000000..22eb72fa2
--- /dev/null
+++ b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc
@@ -0,0 +1,14 @@
+=== Mitigation
+
+In this simple example you noticed that the price is calculated server side and send to the server. The server
+accepted the input as a given and did not calculate the price again. One of the mitigations in this case is to look up
+the price of the television in your database and calculate the total price again.
+
+
+In a real application you should never rely on client side validation it is important to verify all the input
+send by the client. Always remember: **NEVER TRUST INPUT SEND BY A CLIENT.**
+
+''''
+==== References
+
+https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc
index 60b07989d..ae07f6891 100755
--- a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc
+++ b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc
@@ -1,2 +1,2 @@
 === Try it yourself
-This is an internet store. Try to buy TV-s for a lower price.
+In an online store you ordered a new TV, try to buy one or more TVs for a lower price.