dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved lessons to this project.

Browse Source
This commit is contained in:
Nanne Baars 2016-10-13 12:09:01 -04:00
parent 660f8bc660
commit c72e8df532
34 changed files with 1314 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pom.xml
View File

@ -168,6 +168,7 @@
<modules>
<module>webgoat-container</module>
<module>webgoat-lessons</module>
</modules>
<distributionManagement>

12
webgoat-lessons/client-side-filtering/pom.xml Normal file
View File

@ -0,0 +1,12 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>client-side-filtering</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
</parent>
</project>

58
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java Normal file
View File

@ -0,0 +1,58 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.lessons.LessonEndpoint;
import org.owasp.webgoat.lessons.LessonEndpointMapping;
import org.owasp.webgoat.lessons.model.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since August 11, 2016
*/
@LessonEndpointMapping
public class Attack extends LessonEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String answer) throws IOException {
if ("450000".equals(answer)) {
return trackProgress(AttackResult.success());
} else {
return trackProgress(AttackResult.failed("You are close, try again"));
}
}
@Override
public String getPath() {
return "/clientSideFiltering/attack1";
}
}

67
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java Normal file
View File

@ -0,0 +1,67 @@
package org.owasp.webgoat.plugin;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.session.WebSession;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
*/
public class ClientSideFiltering extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.ACCESS_CONTROL;
}
@Override
public List<String> getHints(WebSession webSession) {
return Lists.newArrayList("Many sites attempt to restrict access to resources by role.",
"Developers frequently make mistakes implementing this scheme.",
"Attempt combinations of users, roles, and resources.");
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "Client side filtering";
}
@Override
public String getId() {
return "ClientSideFiltering";
}
}

108
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java Normal file
View File

@ -0,0 +1,108 @@
package org.owasp.webgoat.plugin;
/**
*
*/
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.LessonEndpoint;
import org.owasp.webgoat.lessons.LessonEndpointMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@LessonEndpointMapping
public class Salaries extends LessonEndpoint {
@RequestMapping(method = RequestMethod.GET)
public void invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String userId = req.getParameter("userId");
NodeList nodes = null;
File d = new File(getPluginDirectory(), "ClientSideFiltering/html/employees.xml");
XPathFactory factory = XPathFactory.newInstance();
XPath xPath = factory.newXPath();
InputSource inputSource = new InputSource(new FileInputStream(d));
StringBuffer sb = new StringBuffer();
sb.append("/Employees/Employee/UserID | ");
sb.append("/Employees/Employee/FirstName | ");
sb.append("/Employees/Employee/LastName | ");
sb.append("/Employees/Employee/SSN | ");
sb.append("/Employees/Employee/Salary ");
String expression = sb.toString();
try {
nodes = (NodeList) xPath.evaluate(expression, inputSource,
XPathConstants.NODESET);
} catch (XPathExpressionException e) {
e.printStackTrace();
}
int nodesLength = nodes.getLength();
TR tr;
int COLUMNS = 5;
Table t2 = null;
if (nodesLength > 0) {
t2 = new Table().setCellSpacing(0).setCellPadding(0)
.setBorder(1).setWidth("90%").setAlign("center");
tr = new TR();
tr.addElement(new TD().addElement("UserID"));
tr.addElement(new TD().addElement("First Name"));
tr.addElement(new TD().addElement("Last Name"));
tr.addElement(new TD().addElement("SSN"));
tr.addElement(new TD().addElement("Salary"));
t2.addElement(tr);
}
tr = new TR();
for (int i = 0; i < nodesLength; i++) {
Node node = nodes.item(i);
if (i % COLUMNS == 0) {
tr = new TR();
tr.setID(node.getTextContent());
//tr.setStyle("display: none");
}
tr.addElement(new TD().addElement(node.getTextContent()));
if (i % COLUMNS == (COLUMNS - 1)) {
t2.addElement(tr);
}
}
if (t2 != null) {
resp.getWriter().println(t2.toString());
} else {
resp.getWriter().println("No Results");
}
}
@Override
public String getPath() {
return "/clientSideFiltering/salaries";
}
}

77
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,77 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"><!-- reuse this block for each 'page' of content -->
<!-- include content here ... will be first page/tab multiple -->
<div class="adoc-content" th:replace="doc:ClientSideFiltering_plan.adoc"></div>
<br/>
<div class="attack-container">
<input type="hidden" id="user_id" value="102"/>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/clientSideFiltering/attack1">
<link rel="stylesheet" type="text/css"
th:href="@{/plugin_lessons/plugin/ClientSideFiltering/html/clientSideFiltering-stage1.css}"/>
<script th:src="@{/plugin_lessons/plugin/ClientSideFiltering/js/clientSideFiltering.js}"
language="JavaScript"></script>
<input id="userID" value="102" name="userID" type="HIDDEN"/>
<div id="lesson_wrapper">
<div id="lesson_header"></div>
<div class="lesson_workspace"><br/><br/>
<p>Select user: <select id="UserSelect" onfocus="fetchUserData()" name="UserSelect"
onchange="selectUser()">
<option value="0" label="Choose Employee">Choose Employee</option>
<option value="101" label="Larry Stooge">Larry Stooge</option>
<option value="103" label="Curly Stooge">Curly Stooge</option>
<option value="104" label="Eric Walker">Eric Walker</option>
<option value="105" label="Tom Cat">Tom Cat</option>
<option value="106" label="Jerry Mouse">Jerry Mouse</option>
<option value="107" label="David Giambi">David Giambi</option>
<option value="108" label="Bruce McGuirre">Bruce McGuirre</option>
<option value="109" label="Sean Livingston">Sean Livingston</option>
<option value="110" label="Joanne McDougal">Joanne McDougal</option>
</select></p>
<p></p>
<table style="display: none" id="hiddenEmployeeRecords" align="center" border="1" cellpadding="2"
cellspacing="0" width="90%">
<div>
</div>
</table>
<table align="center" border="1" cellpadding="2" cellspacing="0" width="90%">
<tbody>
<tr>
<td>User ID</td>
<td>First Name</td>
<td>Last Name</td>
<td>SSN</td>
<td>Salary</td>
</tr>
<tr id="employeeRecord"></tr>
</tbody>
</table>
</div>
</div>
<table cellpadding="2" cellspacing="0">
<tbody>
<tr>
<td>What is Neville Bartholomew's salary?</td>
<td><input id="answer" name="answer" value="" type="TEXT"/></td>
<td align="LEFT"><input name="SUBMIT" value="Submit Answer" type="SUBMIT"/></td>
</tr>
</tbody>
</table>
</form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</html>

3
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/clientSideFiltering-stage1.css Normal file
View File

@ -0,0 +1,3 @@
#lesson_wrapper {height: 435px;width: 500px;}
#lesson_header {background-image: url(../images/lesson1_header.jpg); width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
.lesson_workspace {background-image: url(../images/lesson1_workspace.jpg); width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}

254
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml Normal file
View File

@ -0,0 +1,254 @@
<?xml version="1.0" encoding="UTF-8"?>
<Employees>
<Employee >
<UserID>101</UserID>
<FirstName>Larry</FirstName>
<LastName>Stooge</LastName>
<Street>9175 Guilford Rd</Street>
<CS>New York, NY</CS>
<Phone>443-689-0192</Phone>
<StartDate>1012000</StartDate>
<SSN>386-09-5451</SSN>
<Salary>55000</Salary>
<CreditCard>2578546969853547</CreditCard>
<Limit>5000</Limit>
<Comments>Does not work well with others</Comments>
<DisciplinaryExplanation>Constantly harassing coworkers</DisciplinaryExplanation>
<DisciplinaryDate>10106</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>102</UserID>
<FirstName>Moe</FirstName>
<LastName>Stooge</LastName>
<Street>3013 AMD Ave</Street>
<CS>New York, NY</CS>
<Phone>443-938-5301</Phone>
<StartDate>3082003</StartDate>
<SSN>936-18-4524</SSN>
<Salary>140000</Salary>
<CreditCard>NA</CreditCard>
<Limit>0</Limit>
<Comments>Very dominating over Larry and Curly</Comments>
<DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate>
<Managers>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>103</UserID>
<FirstName>Curly</FirstName>
<LastName>Stooge</LastName>
<Street>1112 Crusoe Lane</Street>
<CS>New York, NY</CS>
<Phone>410-667-6654</Phone>
<StartDate>2122001</StartDate>
<SSN>961-08-0047</SSN>
<Salary>50000</Salary>
<CreditCard>NA</CreditCard>
<Limit>0</Limit>
<Comments>Owes three-thousand to company for fradulent purchases</Comments>
<DisciplinaryExplanation>Hit Moe back</DisciplinaryExplanation>
<DisciplinaryDate>101014</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>104</UserID>
<FirstName>Eric</FirstName>
<LastName>Walker</LastName>
<Street>1160 Prescott Rd</Street>
<CS>New York, NY</CS>
<Phone>410-887-1193</Phone>
<StartDate>12152005</StartDate>
<SSN>445-66-5565</SSN>
<Salary>13000</Salary>
<CreditCard>NA</CreditCard>
<Limit>0</Limit>
<Comments>Late. Always needs help. Too intern-ish.</Comments>
<DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate>
<Managers>
<Manager>107</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>105</UserID>
<FirstName>Tom</FirstName>
<LastName>Cat</LastName>
<Street>2211 HyperThread Rd.</Street>
<CS>New York, NY</CS>
<Phone>443-599-0762</Phone>
<StartDate>1011999</StartDate>
<SSN>792-14-6364</SSN>
<Salary>80000</Salary>
<CreditCard>5481360857968521</CreditCard>
<Limit>30000</Limit>
<Comments>Co-Owner.</Comments>
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
<DisciplinaryDate>0</DisciplinaryDate>
<Managers>
<Manager>106</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>106</UserID>
<FirstName>Jerry</FirstName>
<LastName>Mouse</LastName>
<Street>3011 Unix Drive</Street>
<CS>New York, NY</CS>
<Phone>443-699-3366</Phone>
<StartDate>1011999</StartDate>
<SSN>858-55-4452</SSN>
<Salary>70000</Salary>
<CreditCard>6981754825013564</CreditCard>
<Limit>20000</Limit>
<Comments>Co-Owner.</Comments>
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
<DisciplinaryDate>0</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>107</UserID>
<FirstName>David</FirstName>
<LastName>Giambi</LastName>
<Street>5132 DIMM Avenue</Street>
<CS>New York, NY</CS>
<Phone>610-521-8413</Phone>
<StartDate>5011999</StartDate>
<SSN>439-20-9405</SSN>
<Salary>100000</Salary>
<CreditCard>6981754825018101</CreditCard>
<Limit>10000</Limit>
<Comments>Strong work habbit. Questionable ethics.</Comments>
<DisciplinaryExplanation>Hacked into accounting server. Modified personal pay.</DisciplinaryExplanation>
<DisciplinaryDate>61402</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>108</UserID>
<FirstName>Bruce</FirstName>
<LastName>McGuirre</LastName>
<Street>8899 FreeBSD Drive&lt;script&gt;alert(document.cookie)&lt;/script&gt; </Street>
<CS>New York, NY</CS>
<Phone>610-282-1103</Phone>
<StartDate>3012000</StartDate>
<SSN>707-95-9482</SSN>
<Salary>110000</Salary>
<CreditCard>6981754825854136</CreditCard>
<Limit>30000</Limit>
<Comments>Enjoys watching others struggle in exercises.</Comments>
<DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
<DisciplinaryDate>61502</DisciplinaryDate>
<Managers>
<Manager>107</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>109</UserID>
<FirstName>Sean</FirstName>
<LastName>Livingston</LastName>
<Street>6422 dFlyBSD Road</Street>
<CS>New York, NY</CS>
<Phone>610-878-9549</Phone>
<StartDate>6012003</StartDate>
<SSN>136-55-1046</SSN>
<Salary>130000</Salary>
<CreditCard>6981754825014510</CreditCard>
<Limit>5000</Limit>
<Comments>Has some fascination with Steelers. Go Ravens.</Comments>
<DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
<DisciplinaryDate>72804</DisciplinaryDate>
<Managers>
<Manager>107</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>110</UserID>
<FirstName>Joanne</FirstName>
<LastName>McDougal</LastName>
<Street>5567 Broadband Lane</Street>
<CS>New York, NY</CS>
<Phone>610-213-6341</Phone>
<StartDate>1012001</StartDate>
<SSN>789-54-2413</SSN>
<Salary>90000</Salary>
<CreditCard>6981754825081054</CreditCard>
<Limit>300</Limit>
<Comments>Finds it necessary to leave early every day.</Comments>
<DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
<Managers>
<Manager>106</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>111</UserID>
<FirstName>John</FirstName>
<LastName>Wayne</LastName>
<Street>129 Third St</Street>
<CS>New York, NY</CS>
<Phone>610-213-1134</Phone>
<StartDate>1012001</StartDate>
<SSN>129-69-4572</SSN>
<Salary>200000</Salary>
<CreditCard>4437334565679921</CreditCard>
<Limit>300</Limit>
<Comments></Comments>
<DisciplinaryExplanation></DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
<Managers>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>112</UserID>
<FirstName>Neville</FirstName>
<LastName>Bartholomew</LastName>
<Street>1 Corporate Headquarters</Street>
<CS>San Jose, CA</CS>
<Phone>408-587-0024</Phone>
<StartDate>3012000</StartDate>
<SSN>111-111-1111</SSN>
<Salary>450000</Salary>
<CreditCard>4803389267684109</CreditCard>
<Limit>300</Limit>
<Comments></Comments>
<DisciplinaryExplanation></DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
<Managers>
<Manager>112</Manager>
</Managers>
</Employee>
</Employees>

BIN
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/images/lesson1_header.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/images/lesson1_workspace.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

92
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js Normal file
View File

@ -0,0 +1,92 @@
var dataFetched = false;
var json;
//TODO: reimplement this
function selectUser() {
var newEmployeeID = document.getElementById("UserSelect").options[document.getElementById("UserSelect").selectedIndex].value;
if (navigator.userAgent.indexOf("MSIE ") == -1) {
document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
}
else {
//IE is a buggy ....
var TR = document.createElement("tr");
var TD0 = document.createElement("td");
var TD1 = document.createElement("td");
var TD2 = document.createElement("td");
var TD3 = document.createElement("td");
var TD4 = document.createElement("td");
var text0 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[0].firstChild.nodeValue);
var text1 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[1].firstChild.nodeValue);
var text2 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[2].firstChild.nodeValue);
var text3 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[3].firstChild.nodeValue);
var text4 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[4].firstChild.nodeValue);
TD0.appendChild(text0);
TD1.appendChild(text1);
TD2.appendChild(text2);
TD3.appendChild(text3);
TD4.appendChild(text4);
TR.appendChild(TD0);
TR.appendChild(TD1);
TR.appendChild(TD2);
TR.appendChild(TD3);
TR.appendChild(TD4);
document.getElementById("employeeRecord").appendChild(TR);
}
}
function fetchUserData() {
if (!dataFetched) {
dataFetched = true;
ajaxFunction(document.getElementById("userID").value);
}
}
function ajaxFunction(userId) {
var xmlHttp;
try {
// Firefox, Opera 8.0+, Safari
xmlHttp = new XMLHttpRequest();
}
catch (e) {
// Internet Explorer
try {
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e) {
try {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e) {
alert("Your browser does not support AJAX!");
return false;
}
}
}
xmlHttp.onreadystatechange = function () {
var result = xmlHttp.responseText;
if (xmlHttp.readyState == 4) {
//We need to do this because IE is buggy
var newdiv = document.createElement("div");
newdiv.innerHTML = result;
var container = document.getElementById("hiddenEmployeeRecords");
container.appendChild(newdiv);
}
}
xmlHttp.open("GET", "/WebGoat/clientSideFiltering/salaries?userId=" + userId, true);
xmlHttp.send(null);
}

12
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/en/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,12 @@
<div align="Center">
<p><b>Lesson Plan Title: </b>Client Side Filtering</p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
It is always a good practice to send to the client only information which they are supposed
to have access to. In this lesson, too much information is being sent to the client, creating
a serious access control problem.
<!-- Stop Instructions -->
<p><b>General Goal(s):</b> </p>
For this exercise, your mission is exploit the extraneous information being returned by the
server to discover information to which you should not have access.

6
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/en/ClientSideFiltering_plan.adoc Normal file
View File

@ -0,0 +1,6 @@
== Client Side Filtering
It is always a good practice to send to the client only information which they are supposed
to have access to. In this lesson, too much information is being sent to the client, creating
a serious access control problem. For this exercise, your mission is exploit the extraneous information being returned
by the server to discover information to which you should not have access.

11
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/ru/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,11 @@
<div align="Center">
<p><b>Название урока: </b>Фильтрация данных на стороне клиента</p>
</div>
<p><b>Тема для изучения:</b> </p>
<!-- Start Instructions -->
Всегда считается хорошей практикой отправлять на сторону клиента только ту информацию, доступ к которой он имеет.
В данном уроке на сторону клиента будет отправлено очень много информации, что создаст серьёзные проблемы с контролем доступа к ней.
<!-- Stop Instructions -->
<p><b>Основные цели и задачи:</b> </p>
Ваша цель состоит в том, чтоб среди принимаемых со стороны сервера данных найти ту
информацию, доступа к которой у вас нет.

84
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonSolutions/en/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,84 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Client Side Filtering</title>
<link rel="stylesheet" type="text/css" href="formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Client Side Filtering</p>
<p><b>Concept / Topic To Teach:</b><br/>
It is always a good practice to send to the client
only information which they are supposed to have access to.
In this lesson, too much information is being sent to the
client, creating a serious access control problem.
</p>
<p><b>General Goal(s):</b><br/>
For this exercise, your mission is exploit the extraneous
information being returned by the server to discover information
to which you should not have access.
</p>
<b>Solution:</b><br/>
<p>
This Lab consists of two Stages. In the first Stage you have to
get sensitive information . In the second one you have to fix the problem.<br/>
</p>
<b>Stage 1</b>
<p>
Use Firebug to solve this stage. If you are using IE you can try it with
IEWatch.</p>
First use any person from the list and see what you get. After doing this you
can search for a specific person in Firebug. Make sure you find the hidden table with
the information, including the salary and so on. In the same table you will find
Neville.
<img src="ClientSideFiltering_files/clientside_firebug.jpg" alt="Clientside Filtering" /><br>
<font size="2"><b>Inspect HTML on Firebug</b></font>
<p>
Now write the salary into the text edit box and submit your answer!
</p>
<b>Stage 2</b>
<p>
In this stage you have to modify the clientSideFiltering.jsp which you will find under
the WebContent in the lessons/Ajax folder. The Problem is that
the server sends all information to the client. As you could see
even if it is hidden it is easy to find the sensitive date. In this
stage you will add a filter to the XPath queries. In this file you will find
following construct:<br><br></p>
<code>
StringBuffer sb = new StringBuffer();<br>
sb.append("/Employees/Employee/UserID | ");<br>
sb.append("/Employees/Employee/FirstName | ");<br>
sb.append("/Employees/Employee/LastName | ");<br>
sb.append("/Employees/Employee/SSN | ");<br>
sb.append("/Employees/Employee/Salary ");<br>
String expression = sb.toString();<br>
</code>
<p>
This string will be used for the XPath query. You have to guarantee that a manger only
can see employees which are working for him. To archive this you can use
filters in XPath. Following code will exactly do this:</p>
<code>
StringBuffer sb = new StringBuffer();<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");<br>
String expression = sb.toString();<br>
</code>
<p>
Now only information is sent to your client you are authorized for. You can click on the button.
</p>
</body>
</html>

BIN
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

26
webgoat-lessons/client-side-filtering/src/main/resources/plugin/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,26 @@
ClientSideFilteringSelectUser=Select user:
ClientSideFilteringUserID=User ID
ClientSideFilteringFirstName=First Name
ClientSideFilteringLastName=Last Name
ClientSideFilteringSSN=SSN
ClientSideFilteringSalary=Salary
ClientSideFilteringErrorGenerating=Error generating
ClientSideFilteringStage1Complete=Stage 1 completed.
ClientSideFilteringStage1Question=What is Neville Bartholomew's salary?
ClientSideFilteringStage1SubmitAnswer=Submit Answer
ClientSideFilteringStage2Finish=Click here when you believe you have completed the lesson.
ClientSideFilteringChoose=Choose Employee
ClientSideFilteringHint1=Stage 1: The information displayed when an employee is chosen from the drop down menu is stored on the client side.
ClientSideFilteringHint2=Stage 1: Use Firebug to find where the information is stored on the client side.
ClientSideFilteringHint3=Stage 1: Examine the hidden table to see if there is anyone listed who is not in the drop down menu.
ClientSideFilteringHint4=Stage 1: Look in the last row of the hidden table.
ClientSideFilteringHint5a=Stage 1: You can access the server directly
ClientSideFilteringHint5b=here
ClientSideFilteringHint5c=to see what results are being returned
ClientSideFilteringHint6=Stage 2: The server uses an XPath query against an XML database.
ClientSideFilteringHint7=Stage 2: The query currently returns all of the contents of the database.
ClientSideFilteringHint8=Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102
ClientSideFilteringHint9=Stage 2: Try using a filter operator.
ClientSideFilteringHint10=Stage 2: Your filter operator should look something like: [Managers/Manager/text()=
ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO, Neville Bartholomew. Or at least you shouldn't have access to the CEO's information. For this exercise, examine the contents of the page to see what extra information you can find.
ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem. Modify the server to only return results that Moe Stooge is allowed to see.

12
webgoat-lessons/http-basics/pom.xml Normal file
View File

@ -0,0 +1,12 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>http-basics</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
</parent>
</project>

69
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasics.java Normal file
View File

@ -0,0 +1,69 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.session.WebSession;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
*/
public class HttpBasics extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public List<String> getHints(WebSession webSession) {
return Lists.newArrayList("Type in your name and press 'go'",
"Turn on Show Parameters or other features",
"Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>",
"Press the Show Lesson Plan button to view a lesson summary",
"Press the Show Solution button to view a lesson solution",
"Use OWASP ZAP to intercept the request and see the type of HTTP command");
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "HTTP Basics";
}
@Override
public String getId() {
return "HttpBasics";
}
}

65
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java Normal file
View File

@ -0,0 +1,65 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.lessons.LessonEndpoint;
import org.owasp.webgoat.lessons.LessonEndpointMapping;
import org.owasp.webgoat.lessons.model.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@LessonEndpointMapping
public class HttpBasicsLesson extends LessonEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String person, HttpServletRequest request) throws IOException {
if (!person.toString().equals("")) {
return AttackResult.success("The server has reversed your name: " + new StringBuffer(person).reverse().toString());
} else {
return AttackResult.failed("You are close, try again");
}
}
@Override
public String getPath() {
return "/HttpBasics/attack1";
}
}

73
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsQuiz.java Normal file
View File

@ -0,0 +1,73 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.lessons.LessonEndpoint;
import org.owasp.webgoat.lessons.LessonEndpointMapping;
import org.owasp.webgoat.lessons.model.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@LessonEndpointMapping
public class HttpBasicsQuiz extends LessonEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
return AttackResult.success();
} else {
StringBuffer message = new StringBuffer();
if (!"POST".equals(answer.toUpperCase())) {
message.append("The HTTP Command is incorrect. ");
}
if (!magic_answer.equals(magic_num)){
message.append("The magic number is incorrect. ");
}
return AttackResult.failed("You are close, try again. " + message.toString());
}
}
@Override
public String getPath() {
return "/HttpBasics/attack2";
}
}

86
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html Normal file
View File

@ -0,0 +1,86 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_plan.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content -->
<!-- sample ascii doc content for second page -->
<div class="adoc-content" th:replace="doc:HttpBasics_content1.adoc"></div>
<!-- if including attack, reuse this section, leave classes in place -->
<div class="attack-container">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/HttpBasics/attack1"
enctype="application/json;charset=UTF-8">
<div id="lessonContent">
<form accept-charset="UNKNOWN" method="POST" name="form"
action="#attack/307/100" enctype="">
Enter Your Name: <input name="person" value="" type="TEXT"/><input
name="SUBMIT" value="Go!" type="SUBMIT"/>
</form>
</div>
</form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_content2.adoc"></div>
<div class="attack-container">
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/HttpBasics/attack2"
enctype="application/json;charset=UTF-8">
<script>
// sample custom javascript in the recommended way ...
// a namespace has been assigned for it, but you can roll your own if you prefer
webgoat.customjs.assignRandomVal = function () {
var x = Math.floor((Math.random() * 100) + 1);
document.getElementById("magic_num").value = x;
};
webgoat.customjs.assignRandomVal();
</script>
<input type="hidden" name="magic_num" id="magic_num" value="foo" />
<table>
<tr>
<td>Was the HTTP command a POST or a GET:</td>
<td><input name="answer" value="" type="TEXT" /></td>
<td></td>
</tr>
<tr>
<td>What is the magic number:</td>
<td><input name="magic_answer" value="" type="TEXT" /><input
name="SUBMIT" value="Go!" type="SUBMIT" /></td>
<td></td>
</tr>
</table>
</form>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</div>
</html>

29
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/de/HttpBasics.html Normal file
View File

@ -0,0 +1,29 @@
<div align="Center">
<p><b>Lehrplan:</b> Http Basics </p>
</div>
<p><b>Lehrinhalt:</b> </p>
Diese Lektion stellt die Verst&auml;ndnis-Grundlagen f&uuml;r den Datentransport zwischen Browser und Webapplikation dar.<br>
<div align="Left">
<p>
<b>So funktioniert HTTP:</b>
</p>
Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem Körper.
Der Client initiiert eine Transaktion wie folgt:<br>
<br>
Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
</div>
<br>
<ul>GET /index.html?param=value HTTP/1.0</ul>
Als n&auml;chstes sendet der Client optionale Kopfzeilen (Header) um den Server &uuml;ber die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
<br>
<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
<br>
<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
<!-- Start Instructions -->
Geben Sie Ihren Namen in das Eingabefeld ein und drücken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zurückschicken. Dies stellt eine vollst&auml;ndige HTTP Transaktion dar!
<br/><br/>
Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Knöpfe f&uuml;r Hinweise (Hints), f&uuml;r das Anzeigen von Parametern(Parameters) oder Cookies und f&uuml;r das Anzeigen von Java-Quellcode ausprobiert werden.
Außerdem, k&ouml;nnen Sie hier WebScarab gut ausprobieren.
<!-- Stop Instructions -->

8
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc Normal file
View File

@ -0,0 +1,8 @@
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
== Try It!
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.

4
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_content2.adoc Normal file
View File

@ -0,0 +1,4 @@
== The Quiz
What type of HTTP command did WebGoat use for this lesson. A POST or a GET.

28
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_plan.adoc Normal file
View File

@ -0,0 +1,28 @@
= HTTP Basics
== Concept
This lesson presents the basics for understanding the transfer of data between the browser and the web application and how to trap a request/response with a HTTP proxy.
== Goals
The user should become familiar with the features of WebGoat by manipulating the above
buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using
link:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project[OWASP Zed Attack Proxy] for the first time.
=== How HTTP works:
All HTTP transactions follow the same general format. Each client request and server response has three parts: the request or response line, a header section and the entity body.
The client initiates a transaction as follows:
* The client contacts the server and sends a document request. A GET request can have url parameters and those parameters will be available in the web access logs.
** GET /index.html?param=value HTTP/1.0
* Next, the client sends optional header information to inform the server of its configuration and the document formats it will accept.
** User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*
* In a POST request, the user supplied data will follow the optional headers and is not part of the contained within the POST URL.

33
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/ru/HttpBasics.html Normal file
View File

@ -0,0 +1,33 @@
<div align="Center">
<p><b>Название урока:</b> Основы Http </p>
</div>
<p><b>Тема изучения:</b> </p>
В данном уроке представлены основы необходимые для понимания процесса передачи данных между браузером и веб-приложением.<br>
<div align="Left">
<p>
<b>Как работает HTTP:</b>
</p>
Все обращения по протоколу HTTP имеют один основной формат. Кажный запрос клиента или ответ сервера состоит из трёх частей:
строка запроса или ответа, заголовок и тело. Клиент начинает предачу данных следующим образом: <br>
<br>
Он соединяется с сервером и отправляет запрос для получения документа <br>
</div>
<br>
<ul>GET /index.html?param=value HTTP/1.0</ul>
Далее он шлёт различную информацию в разделе заголовка чтоб уведомить сервер о своей конфигурации и возможностях
(например какие кодировки и типы документов поддерживаются клиентом).<br>
<br>
<ul>User-Agent: Mozilla/4.06<br />Accept: image/gif,image/jpeg, */*</ul>
После отправки запроса и заголовков клиент может отправить дополнительные данные. Они в большинстве случаев
предназначаются для CGI-программ использующих метод POST для принятия информации.<br>
<p><b>Основные цели и задачи:</b> </p>
<!-- Start Instructions -->
Введите ваше имя в поле расположенное ниже и нажмите "Вперёд!" для отправки формы. Сервер примет ваш запрос, выстроит
полученную строку в обратном порядке и выведет результат на экран. Данный пример иллюстрирует основы обработки данных
полученных из HTTP-запроса.
<br/><br/>
Пользователю необходимо ознакомится с использованием функций WebGoat, таких как просмотр подсказок, отображение параметров HTTP-запроса,
отображение Cookies и исходных кодов Java. Первое время, в качестве практики, для просмотра параметров и Cookies
запросов вы можете использовать WebScarab.
<!-- Stop Instructions -->

5
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonSolutions/en/HttpBasics_solution.adoc Normal file
View File

@ -0,0 +1,5 @@
= HTTP Basics
== Solution
Solution goes here

14
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonSolutions/html/HttpBasics.html Normal file
View File

@ -0,0 +1,14 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content -->
<!-- include content here ... will be first page/tab multiple -->
<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
</div>
</html>

2
webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,2 @@
EnterYourName=Enter your Name
Go!=Go!

2
webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_de.properties Normal file
View File

@ -0,0 +1,2 @@
EnterYourName=Geben Sie Ihren Namen ein
Go!=Los gehts!

2
webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_fr.properties Normal file
View File

@ -0,0 +1,2 @@
EnterYourName=Entrez votre nom
Go!=Go!

2
webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_ru.properties Normal file
View File

@ -0,0 +1,2 @@
EnterYourName=\u0412\u0432\u0435\u0434\u0438\u0442\u0435 \u0432\u0430\u0448\u0435 \u0438\u043c\u044f
Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

69
webgoat-lessons/pom.xml Normal file
View File

@ -0,0 +1,69 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<name>webgoat-plugins-parent</name>
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<packaging>pom</packaging>
<version>8.0-SNAPSHOT</version>
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.0-SNAPSHOT</version>
</parent>
<modules>
<module>client-side-filtering</module>
<module>http-basics</module>
</modules>
<dependencies>
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-container</artifactId>
<version>${project.version}</version>
<scope>provided</scope>
<type>jar</type>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-container</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-artifact</id>
<phase>package</phase>
<goals>
<goal>copy</goal>
</goals>
<configuration>
<overWriteIfNewer>true</overWriteIfNewer>
<artifactItems>
<artifactItem>
<groupId>${project.groupId}</groupId>
<artifactId>${project.artifactId}</artifactId>
<version>${project.version}</version>
<type>${project.packaging}</type>
</artifactItem>
</artifactItems>
<outputDirectory>../../webgoat-container/src/main/resources/plugin_lessons</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>