Miscellaneous bug fixes

divide by zero, inaccurate discount and totals, reflection of user input


git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lesson_plans/DangerousEval.html

@@ -0,0 +1,14 @@
+<div align="Center">
+<p><b>Lesson Plan Title: </b>Dangerous Use of Eval</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+It is always a good practice to validate all input on the server side. XSS can occur
+when unvalidated user input is reflected directly into an HTTP response. In this lesson, unvalidated
+user-supplied data is used in conjunction with a Javascript eval() call. In a reflected
+XSS attack, an attacker can craft a URL with the attack script and store it on another
+website, email it, or otherwise trick a victim into clicking on it.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+For this exercise, your mission is to come up with some input which, when run through eval,
+will execute a malicious script. In order to pass this lesson, you must 'alert()' document.cookie.