From d1fe861a75b424906f8b4c0a0a1031988de87f4b Mon Sep 17 00:00:00 2001 From: "rogan.dawes" Date: Wed, 11 Jul 2007 12:56:13 +0000 Subject: [PATCH] Add a DB Cross Site Scripting lesson git-svn-id: http://webgoat.googlecode.com/svn/trunk@173 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../DBCrossSiteScripting.java | 253 ++++++++++++++++++ .../DBCrossSiteScripting/UpdateProfile.java | 242 +++++++++++++++++ .../DBCrossSiteScripting/UpdateProfile_i.java | 85 ++++++ .../DBCrossSiteScripting.css | 14 + .../DBCrossSiteScripting.jsp | 26 ++ .../DBCrossSiteScripting/EditProfile.jsp | 134 ++++++++++ .../DBCrossSiteScripting/ListStaff.jsp | 54 ++++ .../lessons/DBCrossSiteScripting/Login.jsp | 37 +++ .../DBCrossSiteScripting/SearchStaff.jsp | 22 ++ .../DBCrossSiteScripting/ViewProfile.jsp | 153 +++++++++++ .../lessons/DBCrossSiteScripting/error.jsp | 3 + .../images/lesson1_SearchWindow.jpg | Bin 0 -> 34912 bytes .../images/lesson1_header.jpg | Bin 0 -> 44854 bytes .../images/lesson1_loginWindow.jpg | Bin 0 -> 9976 bytes .../images/lesson1_menu.jpg | Bin 0 -> 5682 bytes .../images/lesson1_workspace.jpg | Bin 0 -> 23580 bytes 16 files changed, 1023 insertions(+) create mode 100755 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java create mode 100755 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java create mode 100755 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_header.jpg create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_loginWindow.jpg create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_menu.jpg create mode 100755 webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_workspace.jpg diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java new file mode 100755 index 000000000..fbdd92a9f --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java @@ -0,0 +1,253 @@ +package org.owasp.webgoat.lessons.DBCrossSiteScripting; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.ecs.ElementContainer; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Login; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; +import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/** + /******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + */ +public class DBCrossSiteScripting extends GoatHillsFinancial +{ + private final static Integer DEFAULT_RANKING = new Integer(100); + + public final static String STAGE1 = "Stage 1"; + + public final static String STAGE2 = "Stage 2"; + + protected void registerActions(String className) + { + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); + + // These actions are special in that they chain to other actions. + registerAction(new Login(this, className, LOGIN_ACTION, + getAction(LISTSTAFF_ACTION))); + registerAction(new Logout(this, className, LOGOUT_ACTION, + getAction(LOGIN_ACTION))); + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, + getAction(VIEWPROFILE_ACTION))); + registerAction(new UpdateProfile(this, className, + UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); + registerAction(new DeleteProfile(this, className, + DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + } + + /** + * Gets the category attribute of the CrossSiteScripting object + * + * @return The category value + */ + public Category getDefaultCategory() + { + return Category.A4; + } + + /** + * Gets the hints attribute of the DirectoryScreen object + * + * @return The hints value + */ + protected List getHints(WebSession s) + { + List hints = new ArrayList(); + + // Stage 1 + hints.add("You can put HTML tags in form input fields."); + hints + .add("Bury a SCRIPT tag in the field to attack anyone who reads it."); + hints + .add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in message fields."); + hints + .add("Enter this: <script>alert(\"document.cookie\");</script> in message fields."); + + // Stage 2 + hints + .add("Many scripts rely on the use of special characters such as: <"); + hints + .add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering)."); + hints + .add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern)."); + + return hints; + } + + + /** + * Gets the instructions attribute of the ParameterInjection object + * + * @return The instructions value + */ + public String getInstructions(WebSession s) + { + String instructions = ""; + + if (!getLessonTracker(s).getCompleted()) + { + String stage = getStage(s); + if (STAGE1.equals(stage)) + { + instructions = "Execute a Stored Cross Site Scripting (XSS) attack.
" + + "For this exercise, your mission is to cause the application to serve a script of your making " + + " to some other user."; + } + else if (STAGE2.equals(stage)) + { + instructions = "Block Stored XSS using Input Validation.
" + + "You will modify the stored procedure in the database to perform input validation on the vulnerable input field " + + "you just exploited."; + } + } + + return instructions; + + } + + @Override + public String[] getStages() { + return new String[] {STAGE1, STAGE2}; + } + + public void handleRequest(WebSession s) + { + if (s.getLessonSession(this) == null) + s.openLessonSession(this); + + String requestedActionName = null; + try + { + requestedActionName = s.getParser().getStringParameter("action"); + } + catch (ParameterNotFoundException pnfe) + { + // Let them eat login page. + requestedActionName = LOGIN_ACTION; + } + + if (requestedActionName != null) + { + try + { + LessonAction action = getAction(requestedActionName); + + if (action != null) + { + if (!action.requiresAuthentication() + || action.isAuthenticated(s)) + { + action.handleRequest(s); + //setCurrentAction(s, action.getNextPage(s)); + } + } + else + { + setCurrentAction(s, ERROR_ACTION); + } + } + catch (ParameterNotFoundException pnfe) + { + System.out.println("Missing parameter"); + pnfe.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + catch (ValidationException ve) + { + System.out.println("Validation failed"); + ve.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + catch (UnauthenticatedException ue) + { + s.setMessage("Login failed"); + System.out.println("Authentication failure"); + ue.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + s.setMessage("You are not authorized to perform this function"); + System.out.println("Authorization failure"); + ue2.printStackTrace(); + } + catch (Exception e) + { + // All other errors send the user to the generic error page + System.out.println("handleRequest() error"); + e.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + } + + // All this does for this lesson is ensure that a non-null content exists. + setContent(new ElementContainer()); + } + + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + + /** + * Gets the title attribute of the CrossSiteScripting object + * + * @return The title value + */ + public String getTitle() + { + return "LAB: DB Cross Site Scripting (XSS)"; + } + + @Override + protected boolean getDefaultHidden() { + return ! getWebgoatContext().getDatabaseDriver().contains("oracle"); + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java new file mode 100755 index 000000000..bcbee54b5 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java @@ -0,0 +1,242 @@ +package org.owasp.webgoat.lessons.DBCrossSiteScripting; + +import java.sql.CallableStatement; +import java.sql.SQLException; +import java.sql.Statement; + +import javax.servlet.http.HttpServletRequest; + +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; +import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; +import org.owasp.webgoat.session.Employee; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class UpdateProfile extends DefaultLessonAction +{ + + private LessonAction chainedAction; + + + public UpdateProfile(GoatHillsFinancial lesson, String lessonName, + String actionName, LessonAction chainedAction) + { + super(lesson, lessonName, actionName); + this.chainedAction = chainedAction; + } + + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException, + ValidationException + { + if (isAuthenticated(s)) + { + int userId = getIntSessionAttribute(s, getLessonName() + "." + + RoleBasedAccessControl.USER_ID); + + HttpServletRequest request = s.getRequest(); + int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID)); + String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME); + String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME); + String ssn = request.getParameter(DBCrossSiteScripting.SSN); + String title = request.getParameter(DBCrossSiteScripting.TITLE); + String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER); + String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1); + String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2); + int manager = Integer.parseInt(request + .getParameter(DBCrossSiteScripting.MANAGER)); + String startDate = request.getParameter(DBCrossSiteScripting.START_DATE); + int salary = Integer.parseInt(request + .getParameter(DBCrossSiteScripting.SALARY)); + String ccn = request.getParameter(DBCrossSiteScripting.CCN); + int ccnLimit = Integer.parseInt(request + .getParameter(DBCrossSiteScripting.CCN_LIMIT)); + String disciplinaryActionDate = request + .getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE); + String disciplinaryActionNotes = request + .getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES); + String personalDescription = request + .getParameter(DBCrossSiteScripting.DESCRIPTION); + + Employee employee = new Employee(subjectId, firstName, lastName, ssn, + title, phone, address1, address2, manager, startDate, salary, + ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes, + personalDescription); + + try + { + if (subjectId > 0) + { + this.changeEmployeeProfile(s, userId, subjectId, employee); + setRequestAttribute(s, getLessonName() + "." + + DBCrossSiteScripting.EMPLOYEE_ID, Integer + .toString(subjectId)); + if (DBCrossSiteScripting.STAGE1.equals(getStage(s))) + { + address1 = address1.toLowerCase(); + boolean pass = address1.contains(""); + if (pass) + { + setStageComplete(s, DBCrossSiteScripting.STAGE1); + s.setMessage("Congratulations, you have completed " + DBCrossSiteScripting.STAGE1); + } + } + } + else + this.createEmployeeProfile(s, userId, employee); + } + catch (SQLException e) + { + s.setMessage("Error updating employee profile"); + e.printStackTrace(); + if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) && e.getMessage().contains("ORA-06512") && + !employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$")) + { + s + .setMessage("You have successfully completed this lesson"); + setStageComplete(s, DBCrossSiteScripting.STAGE2); + } + + } + catch (ClassNotFoundException e) + { + s.setMessage("Error updating employee profile"); + e.printStackTrace(); + } + + try + { + chainedAction.handleRequest(s); + } + catch (UnauthenticatedException ue1) + { + System.out.println("Internal server error"); + ue1.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + System.out.println("Internal server error"); + ue2.printStackTrace(); + } + } + else + throw new UnauthenticatedException(); + } + + public String getNextPage(WebSession s) + { + return DBCrossSiteScripting.VIEWPROFILE_ACTION; + } + + + public void changeEmployeeProfile(WebSession s, int userId, int subjectId, + Employee employee) throws SQLException, ClassNotFoundException + { + try + { + String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }"; + CallableStatement call = WebSession.getConnection(s).prepareCall(update); + // Note: The password field is ONLY set by ChangePassword + call.setInt(1, userId); + call.setString(2, employee.getFirstName()); + call.setString(3, employee.getLastName()); + call.setString(4, employee.getSsn()); + call.setString(5, employee.getTitle()); + call.setString(6, employee.getPhoneNumber()); + call.setString(7, employee.getAddress1()); + call.setString(8, employee.getAddress2()); + call.setInt(9, employee.getManager()); + call.setString(10, employee.getStartDate()); + call.setInt(11, employee.getSalary()); + call.setString(12, employee.getCcn()); + call.setInt(13, employee.getCcnLimit()); + call.setString(14, employee.getDisciplinaryActionDate()); + call.setString(15, employee.getDisciplinaryActionNotes()); + call.setString(16, employee.getPersonalDescription()); + call.executeUpdate(); + } + catch (ClassNotFoundException e) + { + e.printStackTrace(); + } + } + + public void createEmployeeProfile(WebSession s, int userId, + Employee employee) throws UnauthorizedException + { + try + { + // FIXME: Cannot choose the id because we cannot guarantee uniqueness + String query = "INSERT INTO employee VALUES ( max(userid)+1, '" + + employee.getFirstName() + "','" + employee.getLastName() + + "','" + employee.getSsn() + "','" + + employee.getFirstName().toLowerCase() + "','" + + employee.getTitle() + "','" + employee.getPhoneNumber() + + "','" + employee.getAddress1() + "','" + + employee.getAddress2() + "'," + employee.getManager() + + ",'" + employee.getStartDate() + "'," + + employee.getSalary() + ",'" + employee.getCcn() + "'," + + employee.getCcnLimit() + ",'" + + employee.getDisciplinaryActionDate() + "','" + + employee.getDisciplinaryActionNotes() + "','" + + employee.getPersonalDescription() + "')"; + + //System.out.println("Query: " + query); + + try + { + Statement statement = WebSession.getConnection(s) + .createStatement(); + statement.executeUpdate(query); + } + catch (SQLException sqle) + { + s.setMessage("Error updating employee profile"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error updating employee profile"); + e.printStackTrace(); + } + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java new file mode 100755 index 000000000..216995641 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java @@ -0,0 +1,85 @@ +package org.owasp.webgoat.lessons.instructor.DBCrossSiteScripting; + +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; +import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; + +/* STAGE 2 FIXES +Solution Summary (1. or 2.) + 1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add + a validation step. Oracle 10G now supports regular expressions. + 2. Apply a column constraint can also work IFF the existing data is clean + +Solution Steps: +1. Talk about the different database approaches. + a. Apply validation in the UPDATE stored proc + - Possible to bypass by not using that stored proc + + b. Apply a table column constraint + - Cannot be bypassed. The DB enforces the constraint under all conditions + +2. Fix the stored proc + +Define the pattern. +Validate the field against the pattern. +Raise an exception if invalid. + +CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE( + v_userid IN employee.userid%type, + v_first_name IN employee.first_name%type, + v_last_name IN employee.last_name%type, + v_ssn IN employee.ssn%type, + v_title IN employee.title%type, + v_phone IN employee.phone%type, + v_address1 IN employee.address1%type, + v_address2 IN employee.address2%type, + v_manager IN employee.manager%type, + v_start_date IN employee.start_date%type, + v_salary IN employee.salary%type, + v_ccn IN employee.ccn%type, + v_ccn_limit IN employee.ccn_limit%type, + v_disciplined_date IN employee.disciplined_date%type, + v_disciplined_notes IN employee.disciplined_notes%type, + v_personal_description IN employee.personal_description%type +) +AS + P_ADDRESS1 VARCHAR2(32000) := '^[a-zA-Z0-9,\. ]{0,80}$'; // Stage 2 - FIX +BEGIN + IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN // Stage 2 - FIX + RAISE VALUE_ERROR; // Stage 2 - FIX + END IF; // Stage 2 - FIX + UPDATE EMPLOYEE + SET + first_name = v_first_name, + last_name = v_last_name, + ssn = v_ssn, + title = v_title, + phone = v_phone, + address1 = v_address1, + address2 = v_address2, + manager = v_manager, + start_date = v_Start_date, + salary = v_salary, + ccn = v_ccn, + ccn_limit = v_ccn_limit, + disciplined_date = v_disciplined_date, + disciplined_notes = v_disciplined_notes, + personal_description = v_personal_description + WHERE + userid = v_userid; +END; +/ + +3. Apply a table column constraint + ALTER TABLE EMPLOYEE + ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$')); +*/ + +public class UpdateProfile_i extends UpdateProfile +{ + public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) + { + super(lesson, lessonName, actionName, chainedAction); + } + +} diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css new file mode 100755 index 000000000..8ffcd6a7e --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css @@ -0,0 +1,14 @@ +#lesson_wrapper {height: 435px;width: 500px;} +#lesson_header {background-image: url(lessons/CrossSiteScripting/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;} +.lesson_workspace {background-image: url(lessons/CrossSiteScripting/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} +.lesson_text {height: 240px;width: 460px;padding-top: 5px;} +#lesson_buttons_bottom {height: 20px;width: 460px;} +#lesson_b_b_left {width: 300px;float: left;} +#lesson_b_b_right input {width: 100px;float: right;} +.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} +.lesson_workspace { } +.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} +.lesson_text_db {color: #0066FF} +#lesson_login {background-image: url(lessons/CrossSiteScripting/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} +#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;} +#lesson_search {background-image: url(lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp new file mode 100755 index 000000000..7d6ec61e0 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp @@ -0,0 +1,26 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> + +<% +WebSession webSession = ((WebSession)session.getAttribute("websession")); +DBCrossSiteScripting currentLesson = (DBCrossSiteScripting) webSession.getCurrentLesson(); +%> +
+
+
+ <% + String subViewPage = currentLesson.getPage(webSession); + if (subViewPage != null) + { + //System.out.println("Including sub view page: " + subViewPage); + %> + + <% + } + %> + +
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp new file mode 100755 index 000000000..b4f869d3e --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp @@ -0,0 +1,134 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> +<% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting.Employee"); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%>
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ First Name: + + + + Last Name: + + +
+ Street: + + + + City/State: + + +
+ Phone: + + + + Start Date: + + +
+ SSN: + + + + Salary: + + +
+ Credit Card: + + + + Credit Card Limit: + + +
+ Comments: + + + + Manager: + + +
+ Disciplinary Explanation: + + + + Disciplinary Action Dates: + + +
+
+
+ + + + + + + + +
+ + + + + + + +
+
+
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp new file mode 100755 index 000000000..4a7c2bdff --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp @@ -0,0 +1,54 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> +<% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + int myUserId = webSession.getUserIdInLesson(); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%> - Staff Listing Page
+
+
+
+

Select from the list below

+
+ + + + + +
+
+
+ <% + if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.CREATEPROFILE_ACTION)) + { + %> +
+ <% + } + %> + <% + if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.DELETEPROFILE_ACTION)) + { + %> +
+ <% + } + %> +
+ +
+ +
+ diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp new file mode 100755 index 000000000..607971305 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp @@ -0,0 +1,37 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> +
+
+ <% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + %> +
+ +
+ +
+ +
+
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp new file mode 100755 index 000000000..e811c0ff8 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp @@ -0,0 +1,22 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> + \ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp new file mode 100755 index 000000000..7780c2809 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp @@ -0,0 +1,153 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" errorPage="" %> +<% +WebSession webSession = ((WebSession)session.getAttribute("websession")); + Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY); + DBCrossSiteScripting lesson = (DBCrossSiteScripting) webSession.getCurrentLesson(); +// int myUserId = getIntSessionAttribute(webSession, "DBCrossSiteScripting." + DBCrossSiteScripting.USER_ID); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%>
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ First Name: + + <%=employee.getFirstName()%> + + Last Name: + + <%=employee.getLastName()%> +
+ Street: + + <%=employee.getAddress1()%> + + City/State: + + <%=employee.getAddress2()%> +
+ Phone: + + <%=employee.getPhoneNumber()%> + + Start Date: + + <%=employee.getStartDate()%> +
+ SSN: + + <%=employee.getSsn()%> + + Salary: + + <%=employee.getSalary()%> +
+ Credit Card: + + <%=employee.getCcn()%> + + Credit Card Limit: + + <%=employee.getCcnLimit()%> +
+ Comments: + + <%=employee.getPersonalDescription()%> + + Manager: + + <%=employee.getManager()%> +
+ Disciplinary Explanation: + + <%=employee.getDisciplinaryActionNotes()%> + + Disciplinary Action Dates: + + <%=employee.getDisciplinaryActionDate()%> +
+
+
+ + + + <% + } + %> + + + + + +
+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION)) + { + %> +
+ + +
+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION)) + { + %> +
+ + +
+ <% + } + %> + 		+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION)) + { + %> +
+ + +
+ <% + } + %> + 		  +
+ +
+
+
diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp new file mode 100755 index 000000000..5af0a45dc --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp @@ -0,0 +1,3 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + errorPage="" %> +


An error has occurred. diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg new file mode 100755 index 0000000000000000000000000000000000000000..39e1ed80d641b9f1fc074273cea345017b5239de GIT binary patch literal 34912 zcmeHP30zah*1v$FxKUe|iltBxS0E&TggpfWL`76KmkJFK5X^!kVHHxVEmf+x)KaB_ zb;AwfhA0TB3vQ^0A`uXxf}jM5tbuIzn|s+2Y588?_j{i&@t5J=GiT16bLKy1&b>1c zeg?mQK3VMK;smLvsz8gtKL~!QLU4=>4ul|AS7<&2L1UpYDxX4X;7SGjgH*Jj(dab< z`Kiq8y$(^C+s&g2c(4#Cp)bKVOa+HtPXX7v;)9`4-EEJ8zmK4CvhN^h&L=&8?E)Bn z6y4?P87u~KJtI`t!5ydTO7;(?Bli%_#DrjJg0sY#>SFPhI1@_~GYC>Uq|((d3`5W% z)gJjO#6xO5*U%==7xGb8QR~)Gy}unQU-sFdGP}PWz$e}Msu-*G%I*>dO5iQTBVB*t zhFKH(G{+m8K<4%?uA>Z4?oZINUxC!A)gc7!v(}_Y8dW!(62=T>&~5av#wL2Y6uLhn zAebIxqvz@2WMr;KvK?pr)j~H1kJZZ^bwjDaOqT9)Py3}V4!U|q7>r$LD3zk?z@UY) zS(GpgW}(MI-Q`PN+&y%GFbu|VnVzoRdKN3x5`&3|h%hE2?8g2K8p6oLEDvLZQo>kK zOMz4)(7-r=6`%+D>*{8JUVs`9?9Z|tr(wN;5@icSbPEd&1A}C|oE$`PVuaDi;L>#w zBP=+YL1&SvD=AEC48jkZbvGZnJuBFM1BGSmA4Vaw7-2naG_08{AUQx6YkHpsDWz!e|3&|`>f8hb(-WHihMkY8ToT&%a+!9N$#F?+L#-LSysV|cSBsfvY zLH(tIp{IaRur;y9^jxA2#q@a88q?!u(9hq+k6Rex8Zrw^ik{AThiFLj{r^GF5T+qG z>2V%*pdXb0()eEi$laez1u^1d1J59{dV>x?jWXu+#+UycWW2yS7z|+Z5w2K6nAQs& z<$CoGtXDk_9yC8cmNn}G=JjGo8GaB~^rSa`JNz)&ejZ&}ZzvgL;l9E2K!$HuCiC|e zt^sMOT|fw%$)W@x#FZ5PzQnQ@g~KNkgA(r%W~0MpW$&ln8rD5YA>z26R1vxU%SVe3 znu)aTCl%bGOQMM}NKN||$G;#G@uov@n-K{E$bC5p=yhnNdot3&N&X1^I=uAv(|q8~ zzmw+=tMgEaeqV+xT3P$VB4M*tHl) zR$>=@VC{O`?Ty(Z!Y&v-7Z9t#i;m?;;9f?i^*w3#MYAD+-xC)8X0$a9r5P`0Fj?;Y zVZoswr1!n+7k)T26A`p_D?%q5Q7J6&;%R_t!w0SR-h1>)8~je`!^RKa!*F2{ zZ)8F=GQoOaiI%1omUzN|*B`?=b@;IO-h=zU3N24M`Tu4`{|~^}Ft&amG%A<%pkwv~c1+-i40^X}2`+hwS`@MOPiHR`|pt&#E8!nXu+i&6Ek#8x( ze?y<3Kr)p{!618E!!>0^h4xEahu(bx8++X`-2;7B(NC@3Hy*?F@xGZox#M6fhm$gd zk=DI74%e{1i9H<;PBZ&nqYO5&$3klix*=*i4&A$bi*DvdqWj6{zBvS`R;qptH^Pl- z>Z&W%f=16(lc77`J+;qN=c2pC0iY$=vsOcQ)HyJ?M)r_JX^jn+--Ye@PI>e`W>h|-XK?JrTz83XUtTF`q9v;>7pSF3U8 zJ)%Af}! z*T`onC6Lws-k!yvb>E|EtPEP;U5~1!&ZGwWQ6nw{^H!chN z$sQ9F#$bmIAgO~h1VO=c3Y|>@Z6-LnBhta{DWHM-iDWj5;Y^`Z!a(dprWND?f>}57 zxGrXdg4DRsf^@;3f4BW=>@cc_<0=o(Rkw2y=MSW~GJ_}sDC%S?%Yz&=fHujW0@_g` zSuV^)9RaBL5G0JFw=Mp(2RH8`lpQ<`1IgCiJSWYBU<040#jrn11LMmX5! z8iE~p#gCE)vXA!*a$ryyVf~ytxl6vib8iJ`0xe_E5npSt7@=-#7L(E+IOC`QNbgZ6 z_%T=jQ18*lgCSl&m>r#ybCHgq3E-MQi#6O@1h zf;1sJ2$^txU{dNr%c1q)ngza0^a=zUFky%1(1jczcc?3fp*?iX`Z3_N6xs*;(vsSJ z;)c#NCL`yX&;vJ-ryCq#qvvhrYT_E|Kv^HW zC_0Sd9=*)NKYD||MF4sRDAF>L7D}VA$hzRn5S?imX`_bVTpB_LpM& zwd)hx>(o9YQCK3~VGs!QgH&(DAo|~c+VDW@?>=N8Egg_|uoUE&)PQ4A-Ny@!Ow24z zKoUNPv!78&jVmJ{I56t($mqv8SO%E8VAF>Dx1{vv9V7>}2ZU;{T-XkKnzEl!-R#|x z{;|Ob@b4XqP_QbZ(IvniL!nZTxyS@z5Q`Zw9s&NAf#~5u+h7{lzr=)uQo!MzKI%WM zU}(=d(_TFXgqYrHG++8oA@PFga;qQJ9R_cZ>e zCIBlq@B;x8sd?WJglgIEG#c`7`yQ>I325CaBp6ZI$iX~t($NHbFj%DQZrZ)Wm{df|g*Qh*(@#i9;z}B_7btuw6W+hDa+ST7p3Z0|qFd z1Qb(qGZVA~0}8IeaDoy5fQSe1KuW+5N(-bk2b`cp`oaUSASKcZ9)JibL0eFwZ2^Q# zv8JFFDS@`2?4l6SYjdQu0D6KF<*_gW*F+pbCjz*E5`fYaYXM{;CDPWy9BFG|j__ER zBRm!sD31jey+)*2pwcWXkRB~inHGp9I1?gj9N-0W0ZaujOU%H80eA;f10ddtxX{kb4(s4RaJ0wUTbS58nJzRp z$2#Eb9Dt|nO&4|pV8DnC3-d1Ug9H^EGRO4hxjiAWD^UKs%08U^yLtd}m7R>pxk`5_ z-8CW)jEGr@E~UFhTCBl5tAn3d>Kx@$xp z7!k7)T}pS2$O9u{R-#Mkt`T`)M9fNbDcv<94~&Rei7utPM&yAJF)Pufbk~SHFd}9p zx|Hr3kq1V^tVEa6T_f_qh?te=Qo3tI9vBg`5?xAnjmQHdVpgI{>8=rZU_{JHbSd36 zA`gs+S&1&CyGG=J5iu*#rF7SbJTM~WVbL|N@0X(#I{3M01o&Mj+z3rVf9(YYe2x76 z6fTFhf?vA+?T>2T2mHST-JgD~RaI3~ReR`v`!D<_Gl9}mdtYM}p~ItWy$jZqz|q5+K?{|Th3 zqBcrJO%2gVRb7LvqN+A(^5{?1zZ&zI9yAs^#SW)GRbz$yH1aI`^pzVof9|*2z~PT` z?`E5Zjhk_;$ZXC_cf$8gdk!!3U^+Sxo&D!}dU>X$x{^PI5FWoAs zX%C8sPfE+W&94ECV(c2H4%Dz`t zCxOeL31E0sC#y|{NKhq_XT@JHixM7C+^qP;qP`A>A}>wLFOxcltgH%&@RHX*EEh<9 zPevzX5Q+*Z;q4`d3frB7MVoBZcjgd(xzQkFJK4=YUuqam&^qeh^r&gHgK<1{%(-KqpMnVW(V&R2XU=G`DYPb%e1 zM5Gv*yhBrgYM; z&Mlw*;L6L`pU7i3?iS#)roFx!;k9;*ZD8)%^1vmv33=uugz>ug!o|e&8&8a1?gQ0_-I;|Yu`in61%Oc=hZ&^k31r9H{ zJtdpJ7l!sp8aX63NvA=O7~QX{%s?25BT0*dl}i(4Tt27P(^<;kw~2EJoaTh-(t9wJ ze5!;a7REi{M>hji5`G9$u#00k)j864OGpb=b#=s$`O77Oi*2_H_JE%1M6$Y6MP5vM zGO5!sLH?TapyV`3+QthO@@6klcnf(g85~KcsLYV}TC2+zAH5~CN4^MW$(3uqZ@j}H4KNyPgZDH3HD&&kZ;J74N{Q{0o zbJB`VASD%;90a_(8}+UjtPQ{|sV!{{Q9w|7mfW$hRdK1=S2)1GJ>4C~W+_5T7|ZG& zw%xk%CUIAeFoTdrtCoDmmTfI-jS1vsToTd0J$iHt({I7MFuEk}niXliw}*>E(sP$> zRN6HAG4bvva9dw3v9C|~_SgdZGA}TC6UT79i%g*8Eo;0EBu+|ny1I)fm579#oRsHG zvNV<7)F3BpvOQosrNdoT;obI~qKH?S_|2yMn6##GBAM{SbQtpcvZ}JR6o&2@`id4P z=$WfwNRTddvzrqYVT5sLYYCtI%Jued`8!0#<)1uyIsb@Rt$ukf_k47s#;Vb5ih=o& zTQ%Z*8`l;5>M7@3s=Q<87Bd49PLw%0e%;}HfAiaxx_ic-KgkEqoNj%^m{cIVoK_ z_oS$?Ie_;%E=$Phm`);GsS?}%s3;D;0ASvYzLnq_!TDzGHo>ag&Cd^NK8`Yv@br1z z3CVva;@%J2k;z2;hw$|NG zPj`6ViK;rSVlkl-d#E!d*IV%UJ-6M@G=DCfRu@}!+0rdSe8wXG!0)sJv6&Z%C3l`p zHNRq@m?K+pVc&k&rYYwR9h0)ZA2WMp^&DQv`KD1MXYIv%*Da_UlUB$LPIlR76}{1B zV&2juWTv@wOkF{i$7N`K+0YNbYq|jZ`m{b0Az-NUi8~DW+DKhfWry<>&Ab|+ARUJ0 zX-eGy8gx3JA<@CpS+4UwbU|p~Zn(?2Cy!9DACfAc_nVIV?&+8trP=w+8=3P!z?y!s z#YfH&OXHp>;<8cK=SYx1#S_-@`y(#58*x5-WYSB(q(1>eN901+q+V64bh;u`01}}T zyoy4Gq`Z)aj@=?25}{(+ID!XKw@%5+>bn5S4M5joPEn=&ctP)!7BwZJ;U^9WP(WD^ z7;0-7N{@BIJC%Z)3wV6#$%a-K`jy8QT(&AID9Py0?Ka1z_Q?OKJ}6^%f0 zZF|a&q#F}&U)h-Z^rvgr_H(}>)Ev5h?e|+Q7AZ-3*j3gUZZl`?F4h?3UgYI)%EG@$ z?{s!Zk^bqajRlMsPDS>oByYb{pBwo&WlQ4go2{pcj^a$h4T5V^e)hfrqS^0z6x7`? zFsz{3krMJvbff*qJqE4~JhR>}coK&E(5{ zvyN}V`^INH(8!X72t?K~{9>Zdy9c(h>~?SPU&JZ0)Z{xvj2Ov}+KlU+ZGuvrH=OF- zBEj+d5BLum*%xxEmB&C99j#wq~e{C?%FZexu5a#z|z$8M+d2%b3>4qCUM|K z`r78U`!>K(iB8knjf^-+>RTXhljKd&Mg;+eCNtV^YQ{8`^SO~ez>4XRoI_fo*)H2C z^08uzG;5zuYs`BrEZhl0U(K%IOj0bNrPo`<*G?LL!glednfD8Sdf@#fc!Ic<8Wf)8 z$EKL>uF9F2k>ynp9dhtm(x>vurv;8Ko?dHArj{mtapcn--%(8vkWN zyekLK`DOpX+%n(!F**@#J4weSd|Jem9KoxS71>qO1*Xa6A=M|(u6l5+WG$Xi&9vE; zb?zYfK*k@5tVY*PZ>^`-Ru~1CubHoY?1bg?umk7x7iEy1zHJfSn)xD|9<0AoqL6QHNXSn^&FFmdex1!r7 z$*?EyK$MpCWwYZpI8C3)C#-Ea*Pfo)^hITCRW{al7D4llwkXRAziCrkr^OXXSp3=c zng_?8t)R;fN9UY~ai>*Zn7QWr^A~0$JbbdUJz+($!Ghmti!b2_Cj-K*;#Ib2J!vVbEJ*#=9+qAxuXSTjfu~~P-%S_+qbE?i=(Y~0( ztAxZ`+FP3Eq+4n2%k#MQluerZ#_|HAdZSfZkf&^MJq+zy%kz7%xqSbs_F1{dO4#L# zQzozd>EvRAJy~B~8Mii_J&P~dKYz+1^Cnp~ck30?<~N0#9z3Lh>~@DND`yF(rYV`2 zzHw$w^`#pR7`b;>yKO7`ZC!b(Hqp)H?Aa@4UI*;1YQi^W*Bf}+%q+HEv1G;PKM{9V zd0i-!>?ZuN9fq(aTVu~GD6;G{Xr>?F)z?(p>m52NPRA zspxe5xE(E5V^k9-Z>g&~`*J6ha5KSd&% zgkm;LFrJupXJ-+>CN8(|nbl02tZ06ASS;p3`>)qa^~di>J5_F_lff*HXS-Zk5XSEO zdB-F-;^n#{w^!T^PdnQ7V8!xgJ@>pM+^1zb7d+K6$hRb=1~J~!IXa>*K)ei>Y`N`a z$^SuWDK6FI>NN0fzXeN=PH(&rm$tx=77Q^uWietT#$C9r9ntP9x+o{v%G)OLuVPYt zq$F-fY^;82N1F6@u6zj^%X}#ui8ojcZYIV_eoXUumlqpTU)Y)@9WUqbN&L#Zqq21| zATo;1la_GeWmFxZNZ>9vzN*(I6a+m03J5nU#GKo_ScmS&n6Or!NUA3hYmx8UrGO+y+IKR1vXuYv0q2r+2E78GSC6fGXkS4DCLNrDq zw>h4Z^i7Cn6K7Xz{gPuRYu#E{WCbv?bSa0xkohhHGxX&*93w78PU6FlKd^Wd{nE%u zC~r9zGiRgd3xaRZ<0`z`qWTdvTCelSM9XXhjE?9%=xPo7Sk$}8uvW2LKw z#ljmeo!4t-#Bd80jzlEe%@Q{Rr7vec>sV2yDrk)PmQ(v=Bd2`DzL3K_AII8?PZR1idZx`yJRnuHr6fJ?EkH+qH_4 zWU%<1^RYopeq)xVSoL|?vRfw_wbmsxl_X~^nETL@d+|lNiNmut^Y&v?oPIpA$@%Pb zrrV4zvYC=x`LvHH6h;|uetxKxm4TGm=TUc8^=M-{E7(H3c4iL3Q`P>8wuCo48vxZSnk*H4%ICRd!U|{no`+j&yvKtx4w?MG@ji z^jG1(K6^t;-(K2w<%^WZw`lhlkg-x?RXQzCquCC_t&D!a>)%aYT?JNftR=QT?iY=>RX%_pRrvv;{ypDm3| zUcED8>!Quy7tA#JlW-Xz{1LlB|EM}&;Su8&K%P^+7IQkzgf{Vt=MQ&jrw)QV&56i( zIX}E6aLwxG4vnT&89B!eC2Q|W;iK^ zyoveXMf;@GM&p^7%(u;}()S%UC%ZNNYMI5YIZ}SW@AwYq(xZe`#j#V?mK7cn7Hb=0 zeO0rLkM+*@)aUe#3~z%K`|nNg*iVhTOA&thd0lhntGz+j7vMZy+_dgmA2=4eea4O- za$gY(z*Mp1oOdfDwd4t5NY>eiQRL@#O)Y`cK>G-o4GJEZLMhaRp%WHg(WA*Yvq!wQXngO%aaUV>1-q>)gv*9q{x?d zsant-lTcZGI@M`@K-mU;AZSj5PN#qkLyApeBwSVY#ehG0V?aKL0o+z31hwye^v4s@ z^en-;@MX^{SO1*%=+rGg^=~}wwsY@4@SW2%VUqiF&F|-*89mV|_(ZxBZDsndPmRAG zi7rXXAF1D*l+=v(MGVMWY;5W!RUj<2}q-+6)aO2P(Fb6iy?Ee59hI>DLrj!pxf6%?~P~w*Q2+@}_FogU6H?L{F6zae6m+NcF>Q)(u zed?p|h|e(_atcH2=}R9X`%Ibn^I_ zwC^LqI&V-sQ`C8idTP<7lINXPP5iTGFF!FkTmeJ+dDG|eDOCC@8a^x6<>Imp7WHqg?Ut;1{;7$iv65qj!eP*P9XU@Ri7iRi9<38 z2}MBzIj1B~jq_G@(+;pHwI9hc1aFf%vq0Kf*D(=>j%qX$VJI&M$v8O2eQN|TL^}O~ zsMs~9AoTVhRzPoczg~%2RnYr zd~f%O`?75pZ93M;c-(Pe-D+2Df^$cq4;@389dhEN?XB#^)Pp+NVlV8uI8uFjd{ZsH zC}vr57%i5&uWW6(rl)UKM2+lvxRKXdP6pE;mssH(>K|c-p}Usn@L2TuvPSplOQDVR zKUSxoxL>$u?*h|(JHV3+Tp~!ACnH`LaH^VGV#BjuiFrD1Aj?)~f}JRl{syV5H<6bh zjH8`S1ynK&{Tu;KB5>NaAWuHZyN}iri>W$dhcz%XNgBH;?w}S|aRUtalBOfhY0DC3 P!qAd9PNfa9K9&9t`uTvo literal 0 HcmV?d00001 diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_header.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_header.jpg new file mode 100755 index 0000000000000000000000000000000000000000..60a809af01cd39c520a84573529811cc745ca362 GIT binary patch literal 44854 zcmeEv2Ut|glJJl(C?Fz&WQme<&XOhPBoYT0!VFK8CpaM8tARq-% z0=F{?_tEni;Q4+41cd&XHVOEC3&PpE3IZ{n`tmJh2{Q*%tJ}cfFc%w`Bek>^H?@kH z1q6!BgSa_4`Gq;Tg}DT%xwwV-c!YU*Kp?cID4*&*JOqKBqJH6zvi=n9%QHv`s0(>v zqM&`25%c?Ypiq8m2MWXY?ErN0SzZ)&)UUihF#}RSTS$$3`aWEw*Zn3r4?8DF@S>s$ zI+7j)!XgLsfeL(%VDv|@Q*tL)?=Y0=_UArEiO)^Fk3g28%^}Muaz!QF9qg&yz|JlZ z7*vdgi=C5(8Vt37Swf)JVl+D1a%_S$65=?b=VjESwGGr|sU7VhE^umfor}tf($q9; z92`=Pj`m<`X_$kfD;(_1!6Bn9L#?i?sHIH}Fyr8mRi&Y(v4O)Kg*iA72n4$s5}n-w z=72)AK$QUIXAB(dUowWk!46W+&SoCpSeqfUfM5XO7t#KP$G>hIk_jNX zy|@6kD96zQlJ74ivapAMq42Nb0LZ`7)?f2>fLY3z!NK1%w*>Oy$g#!7$<4;augxVS z%qa+rGec31qoRK)uL~UDAZKr8{XJKp>%l-Th;xc^e0e-lD90C#igJ8WGf>YzwI4NS zq-xCIz@Ye2+1D=mOY8gp$9n#vX-GTyqCBo2^>}PR*#98|(y}nK2Ykf;HskrJSznzF zU^T}+=c|ADkC}`v@E(K!X7j)BjrA8z`)WGJ@2h{q`|68=e;S|vTi#iJ)4Z=XbnJeR zs`xU!`N!_Z#noK<)2!Fg448$RK%iDIlTS05fA-?~VOlC>Y3u3&2U{Y6nqZ4>6U(nw z`0L5UPZRIooQ?i!R`%zqH@4`PNg+~kU#5!4=YP4h_}gY8slVe2fBUPk{di@V7Y$Q0rd{{bfe_^CbT__4;e>f1c(8+WcXjFQCmOAk4=t%qjH4 zJpY$6|J6kQ+YI%mnf`Zn|DEA~2mPHc1xCUD3Df<#oquDyY+QmrnB8ZS{u{7>z+c<0 z(2w9_+dW#aep>E+_1V8=yFm9T0=^p9=uk&GZdEgfZ!7I@-s~?8|BGArhu)Um(ScnZ z<^tEUaE3SnF8$kH$1g|lf8OK%s)reY0U%CCfr}X!Y z|8)(&a*I4{oC0i|Tu8UbDlK(sflu}m&_EnJQeqR>*U*|!bob24dGV9x9?^jbv;P}lA zSn?^uEbP89vNE%G0dpYFwthtl_i+4f;`-O8Pr$+6XP>Tpv{&(+SYLNMepSbxoB3t# z_;V|N#pN#=Df+dIzasp;iC-%Id7Alc8|CLFercg7$I*ePIL^`8?d;LHuKUp$^U+y4 zaOOLVDtWkcxP*p@s)=TeaRF`b=rsIGX)o%9qZ4FHfD$;zMmsuX_d5ihk>|=^FPlF= z=TPn+WvRac|MYMq!{QP6)aSElGbf*S(q7aYDL2-`QvQ5&~`JP70n#47ydg*JmM{>!4n|4iADX8u6(1|i!Dv>R3O z)BRbC$an|PQN+L}{g5KFXc|EBsXfRn2pNrlvJQOXf$TwGkPGmEfuJBRkO{~J$eV#I zfz%l&|G@%~guwM3?1;yg$c9g)KO%gEeHIp(hq~I^17FDC3`}#FE7a0O&D_=k$bDw4 zX#wW~az{Z6+CTt?Jq&6MubJ;M2g3b(B$*`HnZ1wKL4s@dpql5IJBCfr6o~4gk$bSuG@Y;LH?&0eM_A zS2#=_3B~D zH694O_yh(hu`Iz>X0G;d;1SymINbURbmYeV5%@>+6Xw>^FngHucgiLB#Q&oF*8+e9 zqzZ!~b&U;&IjXtBUBKTP4vsxwNPmK!G>5?fgZdNv1klAcKcgRw#0$uZKqrA4MdHKJ z^QTcqaP*Aw*+(Jcjy@SQ<`LETqr47~0vI3=K1d1}a4?WLFzBd3>c9|$f#AUHa`Xha z7!cvVz@P?6gS0@OToMY)il%)OEDTfJ{3+CM`^GPM8VS;tmUbyZQ*HWA!K@a6*4lW@fAr4M%4sLEX0E5lN0|;DkXM?)Xeq!>4j||x5Xb%sV?@=T9ngM960`p(gm&w{wCyKQo0}qH3x9W4Rdw201k?*zR3xQAquEl zMMYQ!X5s1pMBpgOh`YK%EQMuwIe9tx_~oQH1qHddWTb>-xj6-;Wn`r-=uFpIbp}++$w@<~Ef2}v^f5rAYx^Ha1D)n01wX<6fvNr4(7sn6vLl71kvrF5WN_KHU^3v4>2sha8z-MIC$Mz+3G=%~Axl(X zmJlnCf5PKC%%6DxV;4B;GW$ndzQ_HE&ry4TR~_)W75`;i>UWL$jQ*L^zpXPYExz`J zBQUEt@-CJZ9AJAeaxA(4Zjg)PhyJj%5VkrBxfF*u0H?kjwvJ#R>nikS|ofle*n4_EY1V0s=hG%4*XsJd@EJ};!|PH9>9wB^DzE*4FEXA z>Tet-vgFSVK|+PUi{V3V3H%B6T@#MV^pVcU-W3_n2*ihS0v87tGW|^Yeeutv2EQi# zzW8U-ZJl5V(a{x%s(SxdnKE z8-NM&vhwk80yh`%48R3>Sh;oqAvrmoix&l?`FQwc1Z9LS^72b_3d!)wN(p@y{0GTCi~VmKdte|G z{;#bXS@LH)KthGpA?{#%eHjQaJdyi2;(W+1{mYW?wEV5y;2Wg?-}i*y75q$iG<>vx zi4a(v4KTeUX5YbnM*l%)Jp6+EysW&OLj0UZDbP;>T-={h?jy*jlm~$Gaecz!Wkpg6 z9Hl^?0{sO*fE0l63i5Ftr9giI&p>YiDbW7{Jb-l|Qve@Gg^;NrfC;3?x_AIvL8i!B zcmNwhrT{IF9?=38#LLAClp<3=S|I%d5jc7lM5aQ3oIrYnBg6+h3veUh0)VvvDPWVl zTtWa(WQwE}5=7Dp2_kWX1d%vGLPt14Tu0AHZbC=ggoKba3LWtjLQ2BT$;HnK*exqy z>#Y2&0<40pLacylxVTukxLLV)Sh;vv0XqhexCB@Mqvr;2fuR751YnTx0pkTQcVJ`y z1}`GT$15bjCBzHNodl%>FJ1(cCCJGw!^?k>4^S#6Fg%Ys^M@Y$rImlOePDhHMCNmR zo#uY=ke~eIe^vU;&i<=v0QeqP@>|M1R@bq*eoF(tg?wyX$Ljhm4g41Jv2`7*>$f!U zTgb=Ob*!%6(!g&aA6wV4x_(OozlD5kUB~MBEe-q@^09RttLwKk@LR~o)^)6|-_pQu zAs<`UvATXs1HXlQY+c9d`YjFo7V@!m9joiNH1J!<$JTYMuHVwYZy_IB*Ri^OO9Q`! zd~99E>iR7W{1)=Dbsekgw>0ou$j8=otgheEz;7WRTi3C=eoF(tg?wyX$Ljhm4g41J zv2`7*>$f!UTgbn(E}U;a90fyxUyCAupM@SSf$)xg>;t*mp{%2!5P(n#P|yfa4u^mr=}R2eq9g!fVxpoU zf6M&&!ukUf105R;2l&qmP5@v`G@$-3Wgwsk4GZ-T6l@UAiBlj{6f|@cG&H0{sF>KU zD5z-Y1Q@3=&tnnNfd1e*BgIWigspM$tQj2-v8K~C67x`c>G-@447|=b=U%?!V;t4u zzrGTdAfxRfD<>dtaY08{k2L>P``D_bKRo;fII*CnW1LCQYR#2dNLWGflD>hVwGG79 z4dL$LdGl7l?K^=FA|j(6Mn6hQPDxEm&nPS^E-5W5udS<66$x(Ag2jQ}J88fiDMxOp-xKY@e( z;Z>|%!sQ{al+c*e2XTehGYZkn*WZfNV;9{C>z93b2yy@lvrXz44na?Jr4N$5wyw;N z9OsTTacl*DGam9HoDN*bLZ$rDQao7MHfT6o4_1INlwP<2-?(JRga)DG{K$REUMFgU z1yu-ZqSN|23M<5gtM^yO^Ex!Op0il2duD7GT{Z}N zzwfh~1LtiZcTA`|&Fb_N=k`+!bqNsuhpnZ`ZZ+TeAuoX86(G}tWE!k^n)5`i(OmA{ z6J~?Lth-z|_#i3($&rsBW8UgQEDwuFW(J*Gr=dLf1c?qYbttSAAcHF(DDHL5NrVWt zmLs6^0Wj$0(WWI^+_DELn2G0mDp(v%xr`1$u05R>Z6UcL)kB+=kb1TU^Ry?*Sy;p(g<&Cz~`}pL$TUTaf0o~*v zy-Lp)sh59l#-9N5A^#HPPc;AifOdrVA*g2ba;>LEy0PzK)%8odqeZ>hDfb2xB_!3V zU6*3TC&fFKa%Mj4zz#@ZezQnT9KIXWf_Akswqm7PGtkWi4Ua+{(h=ef>fMJRgAjly zgb_$8zbI{Zzo)!L^n;c(y{t^06#50rNXU@+ExId8O{_OH2qeqsdI8nWJTe!V7J2TK zgHbRQ>u@K3j+i26&MXa5&Jrm6rDo1Y_&nn(jj(JIeH<{@VwcruC!-dUe(BErc=goGdUm-A7H#G1D zBVYkKPx8%cyhn+A%KAmfY$qHYR*4ylKDJ?(6$k6&mbM1(?B6XYAQQ5xpKuiN^lcc_ z5kXC4*<<0QPrgf`g&h{rfHmZm8=JAP&V)0M7VrISQ)V#v!sSGYE`OL&YlDCBy}&1Qfp1AalA4|@krCLf zk(GGY7w;8|^(NpgzOcs*UZ#uKh{+q5v9g54){VXqw&LPp!rE!3;Q^?9n~`Nwcn|rx zK(U5UNNuCY5~AonmLzv8nb~>&Z>LMC|1ujn#IZdwb>fgRsbvbWxPV zH4xg~gHFG+jS|@E>JCd^HFFi6>$DF-%~;b_cXkLnHu4g)RYvkl>*7sXMjiP(3n%&5 zugEu>bCM-eDKp0hruW`%3#ALg3Y0^+B8ywp+5O=SeUSdu7wV)QhoJDpUW%k!Lg#q% z$c63O4ne$elas{)6&u5_$>~e&(9+CX+_t*$RRnM)V_LW(5h5s9@Q4R}3gZMAv=@Z(gr-|49Z7VXL_ z#!d0}q`&xW_eb;Cmg{+R-K~8#IT~uSwBDs<* zIe3<)Lra5OhA}|HRinrud}%AM@8vD(NB0##I8$*gH$AOZ=R_1ptsB=ja`gQoCDw3X zdiT#dl<8HM5bK)yDq;-r4YZ~6Lv0l@S9(RSOl8-bBQV%|TPB=^KC&7^1tm8<<^pX` zwtLpa4B8vPo|hI;N60<3J%uaL^(r-U;5FkNI&|&8_Dbmkr^=2&3W5(I&Pz*ohcy1ZxtT+I_x?5h~bDiA)DB3uj%mmb=lPi|C{G^Tx+NV0L+WpO|3jaUO>;29Xb zj`fiWC*-1EQwO4h%uD1>=er2Iy%#ei2Qp9EhMx4SsO9sBt@I7l6bnGnCeAJo6pDm< zO=z*iq`aytD!y{@q^53`m=N!oqKLJoGnR(5EEu`Dcx$*fM4-#AVCW5*M>g1uf!Ceg zSLR||YXTYY#?2w$^G3g3R7ucE;wnPydxnV7)+=wQ6?AdP=heP6>9lNGX`kb~24EmhIC z*klB?HuppN6{>eRl!0%Er?%F}dY=TXRo&aGcnKYPS?^OXt_ zyCwXfhv^rrYUEXJq-1s6-zDN4pDEmLv`v!R(y%Br#=CO8yW2I^`UEY1vX)k8THskx zJr&RuQP14iRf(K10}C#iu&1Zoy-P!+O~kJ^w@qQ})!Q6MP$UyKFZG@aSi)^E4jbmy z8%rMX$5qK&(K%B}YTU)ZmO10drB|TL6#q6s&SGa`N5}{!+KMP5iJ46-##fOmVu)Z2 zQ6O_GBeO&pM%6)hyRSbM6YgIgYk2+SPOe0hUp?jC&b47Lm|YLFs%RiHcBIljDzTvl z`s77Ic1+XQO$=RYK0URIl(3Rpigc#!oMnuI9(45C)7OXj&FM@*=#MaIueM!0<7h5# zb%q(&-HCz}dVMEg#cPs|Xm!tbnX+<`DesbHvju;*^EsZ zdwVXp^02>#8`Om};` zYu5}t_C6|Z>Aj|!YRhvI$77#c4xXDA^%d|LG*b*C?Ed ztZEbWqSePCli8K(p?|EL@u6bM8XQp@A2f1D4?^h;NFNWp{vwERR1?=zXB=8jbQ(R_ z!Qu{TB00|`r?fFyrtaZgujv43*R$>0hoD?>gT2Qy%2-W!_4AbZZzl5|;?|IpsJweT z42Q#=ri%+T9z}%MP8VcRCqBFXQi<2JIYIC?4lco^F}Yx3t{ig0)J1A_xSN4`hRD^1 z&i2#^Va)}#DYXv*1tOH}$-ULgN57x*_Arf;2Xwj96zqIZE`E??MQ&b%yz z^enUC9pj`|?VGb^&*mT9A7UEz9s>0wxx}b+?p-P_GdhtdR_${y?KcX~F1FHM` zt$80G#laQt-*re?X!gm1daNiZ_np68-%+O(nsbJxn1Dr|kolZCp&O`OFgdzVmW;;} zq_!`8`v*qDHam6Hqf+P&4mUsF3Ujv!g=i%i|| zZ+96l7O@x~?7F}7AdK`}euM#zs5kE0Q{ z@DVo8n)%bF?o0i&sZX1yF05=nO1JbqLpQCnU0v7)L7bkC?3Pv2e1^4{s>=Gd0%D+D z@{~5?#DQ5gf0ea;^^~i8p67BkBKFN}R#aal#x;O@c5gXu-ovLuxJ9c5GbOx=Qgj26 ztOb*ny1RD_luw>Az^J@aydT-^t3QbFpk)~2H%&=Gkz@+SS{r|7T(_RL^gkFx zu3tDp4?$&Dls+DU{B5hZw~rQe?SmZlhoC;YmP63(823ZavPK?q{pJNEu3r`;>iOqz zSamRFY&xw-qzY~hAGcu z|HXi*`D)fF?^|f}>=O;`I^E{;{Umc^)~6I2)fq$eeR1~z!APTctDC)HJd;Y=x-a;vXDnX>Q#ESM^xiGv;{oM_g zo&d@s`2&@^Jwzsg!dob%7_@qe*#W~MInQitbx1{1b~;M(`fU4U??2b{YIBLJ~K||pJzuS$2#itC9vH#%JjSckj#9D2iD<5Qt5}-TqR#BUB|F}-R z_jspZuRX>Kf#J6HY&kZ5o_yLIDppald1YpM7lXsljDN_=EtR;yEm?JTs8T4r-y`E* zBs;T@rcy*Ek!yiqu--aIHs5|Q*$3kuA@t<#^ThYMW`izCI!sqZTUo9|nOs@wUUs4} zN-H$nI)x|Z%X|o84+ZAzQ`oDS<-X_455(OVtt?YBUT z&=i~DL94hAk4J@Sj54AB$JGjUu4@_^Gv4KVL-c!BSDw_ZXxVI5!killMNZ@uQ_|*c zs=ldRRE8>zBqe%EqhLL98rfL zA`yASvNFEb=Ex=3Z8t*){e)qW0MpIAjo$34v^v*KT9!vOqhwSSgieTeYb4K0lq%a_=|e_v+{)=W8}anf)HKw@Z(ElSD4*ulb;*po*_4r&gEk=% zl`0ovzMd=ttbc?%%1anc^{kzYT%PaZj};I0p1a2m?)+ zA{EZvO&aoSe9F#+FA`tTw%2)A3M?IX4Q}cu+%r@g>=nL7fR%9n;#K`HS$uMW_R1#1 zar2@ogoUuFW6I^gP-#PydmGMijcf0(yiIJDUR!`IL|kz$-R#j@T&hSIDBXh+6Dna& zUM6z0IA0ob{(h77R8~SQEuE5@Om6dZH0o6;^63gSmkJYyEOPT<>_$UWva92RQscAl zhFc)yy19eb>lJB<(y`hmu;iKvnPfh zW25vC6lau*sNSK2VjU14XmsZdohy-e7>g%1Ahp6Mwt6e-S-6j0Yk9h-M!vs2?y@)| z7Q50?5Qeg>^WqI#wDY;;M0xLfJzhud#hu-OSG>;V@Nz{N)4YKyPU=B<+pS5!#e&SB zz6ulas#;u(>0@9FoU!!~6qLW*SK_@Na?rZ@!nZNXw^AmitE6dg`zBE40nQAAyis7f ztJB-7?cD_Y!U1Yz?{=(Y$;2V(`L4h{y|^vE*umd@J zW72;9@lg{|mtpqRI(uA$WJ?(t>=}M{V$ks4b#zB-*~yk&aP|t?l_y5e&XSC2PGmMq zb1l$rlKdcOKofKwV~2@<$9hT-w^jqjfcS9tnhKw-)-_v++NYh@IpyVy1}-x@gxR=Q z5x7D&QtWn238&vK?xpdE)R0@Rq0jHX3tz|{o*SACj*pE>-o%>^N9Ecb@CI|~=|U)IbF7oZkWW) zpG`s<#HlcgSR-`WOIQ@Io?&ZQZD*S$w#m_T+tVg`awuct8nU`c1HxP8=Z zNcO}Hh}pePi53Mk#XvJgX3g$CZJ#uCEVh)#@cLG@*MWZGl~ud}&I6`Fh4a84mext%%j^hQV?Hn>LyXcRbR8D3 zOeaf<^$;8N7H;5G9&?+`x%VZioy`_D(`o&!!4Y#1t`L3|x}?)QU7D4GemrOMy&?sS zvMof4vi1l_!l++e4P>If)Sg7}*gSFX%n%#xz}ap)HwSQf_-w31NwW1Dyvbe@#@Pc# zYXScG!6E#+8%W1Had( z#8`T_pJef@%x!-iU%vJ(tWC7db<--;Ll8&h-PP%GH)55^65}gx;(bF}Hmm%E?lfpv zuGs|*Xu3|Jit>|+Ub7`-ett_YH+=#!si-UL3DG`ptyw%(F*UiEY8KYaD-d3rs0D&E zC!7YYWyi;oG|n3-Q$1&2?zW~mcgfb2ZloqaA;Snf@Kag=}Ke?!CLc z6&ZgJZo_>7iZ{=8j_7FX4;Git^r@D zHl=&OyM_a~`~mR9zEOy>0zGlm^!=;azHL_+e!*vYL(yOq9ztBVVzccH)G=dR1;zuVOq#4ckG$%FI6HmCs z*EM_OK#d~3LuA?&`V9JhDK0uDgra!!O-tPvcXZ{neEx?@rE&y4rLOXn{JFa?7tbW8 zTw__~E^H%gIpZY78%F0lU#br!e!k{}d!5CYB~vFeUQ%Ol5EsLbN2+^qs>I(SDAk;n zI*@}rTvFUe*GetDICAuQ5U2hl8-@lk$DzEYUcuIhbgICI<}`N+Fl+ie$k{G;nZtx% z+m8J~C_RTBO=#DT=x}9*8U;P+O1nrd$NSt~mFU6FDHT^d-c(9|gr3_8bO#4JQO%yh z5-dtM?KMj6dS7Gg-pabTp^DU}1r>>mTG4OB*S7Zq;uwt>BQtDq6Dwxj+)!f;3>Rs} ziowuP0##5eZq%o9>>PVx!rUD|`0SOC)-d#3Q;?cRs6~4yEH$M}< zL_cG2bYApjN%Hjo=|2Hbh;29og;2Tp^{3<<6bS%}uYAAP_=lkTCLfWT_c@0h|6pw- z+cOF8o4ayj0cXD=D6w_IskE@^B>%04Lkiha@dmPSnY^DF$bx#NhqhBP|ey{%4a^)yw^;mY}nR-Mtan&;|-pMgK<+D^;J zI2qU?8g?l{!$XJuG!a1Ga3Hr8+_PQLsR=c^7RM82x~uezAMd1wRyTBLj{m@fzIZd3 zi8&=DC6!3SbOK{Zmn8I|KMXjOVi4!GpS!1x<~E5q8NJ_AwONmkfO;^~MoQfdk(h2a zcblY&p77+4PfN>)OyiG2aDf7Eb1YT9EB&$nLZ0kov$Bgn_mxLCT62`A9S*rNuU;J& z*K9PQrs}qV@YuWfVo9v2r+2>|@uneh?v8EZqHlO>ivge4`wua8e10;cc#(6p< zA?44mhp83BhK}7+Ud3#CUEx~aced%ZlkPAl5nVj5#)n&=(>NdSim06^u$J9g9xkbD z4z53#$T_(aI&Z@1bmgk8Sj}E*mCpEukJUvpRhkGLO7?0pJ;nU_@+1ebs^~p2wHU&O z!{_SzyvR=Ay0I6FX|zT)b#$<1U|-zZ6(1lQXuaiB?qk>DaW3Nm`?`1rYFf4*8A|(! z_}2pOVzmCyf2bbYmA00xwn{;D4mh7+bZh$%!S%M&0S6YryI%rq>rxaBh~K^HZ?!yh zr(1-|Wdrxh()A~Kt)B%>)dl{zc)5m%)rY+a^N3a9z+KFZ#jVY^)zjc$Kq;wg$$ z4ya4LlhQp$&f2P{NE%ER5rJ*m_mnPNt$=r~N_aWnFJ|P@BL8*(kwD{I1w zk%081OUyEUNm5W+l)XL0{@no~hP(Fr`Q;sI@?wT{=d4mQWOOc6iLgsolnJasvnZ;v zREWqa`B)^AtLb@DACeRD4(xHAu*pJGz(DJydQ+6TxYr=Z9=F4_cQtdyI{-0R%*QL% zQB>e%nEC7@Y6#ygpI5^5C*?+KVUN6v4OS(Fl16s6*Wg5*`W@Qyst?hVZ6jifO+(b$ z++eROj63=7@hj(DFdVYgG@ft3~3%dp0{iu4~%x zkF?-q=e=21v6kC>wNd|K#Nf(6_N$IP>p^X!aqP0m#;(q;*2fFBk8#C49V*T$oo5U= zi>AVB2pNMw67{vGM6%^o%?=8D55nh?e55eox6CfK4Ww)1U2rl4;VbmBEf$X#-Nhil zh-Z9__CkFk?ur;iY}_`>stB-46;W(NA>AEQ0^7XOv2(3zw;H-p|Dm?qfvvB~b2TTY z_~3OTKNewJ@bwJx&JJ1L?HSuT!K_`zATh0rwM_eFd4Zdz_gg9pMEpuW zx*&SYiX%y@9j7{Ai~B<=S`V8vNAnzYEa%4?v^c|LQv(f9QTr9puP^CUmJICNwXUjo zKwqe(6BC3PN%XYsG^Vgtc@2I2fCsu#hVCVl`Ovo>dk=&=O3FvZ5jFx&8&eze%EQac ziydX055*2aCC*-IPCAQq{S_QoN)a(ItJ#?X!H>3&p3BS<556Q+2%T3~&m=CZa4s1_ z?9R^{NWYl0v5~cTN=Z#g+mYdLw#~ZaC5#yoYNz2}8$Q{k0W}Hsqj525^;s)D2v}my z$_&|QySs4d$p_(aH~C!1CTH_|m$>0Oh{4jd&9JfLhIh@4Q~9fkWHL{iW;Wdh-VFLw zsXQFQA2w_QlZ@BtHl>7KyCTZfe%{(y=<4w8Lr`5|drI63`GJN6jgl&wy{yc7H+oNR z$g(?xU#@0|H@YmdJjcVLYAjE{jma`$K%-|2k~FN-{9sk#d@auGNtVfykgf$_UHQ-r z5Q zM8&gU5wj)MG2igED6Bp!eswfM(pdO58eg(7c(Y}^V8HMX7QqK$%z|1$c52gIx3_}d z99RtLtx%0xy%;doC>=;CwpKQqTEtDhJFikbV9>1Eq8tleb!VTO+v_HFRSfUVdv9lM zlMoy?}cTNIc)n+`^LjOS^Rq z77UGNq}p#!;!*nEswBb>tZwNjKT!2fn5TS2;q-Ve=x)I-uyZqf2pV>Bh1#XM;nCUO z+oW}pF8Ek&H|4ES-R4alU=Q>DALz(k(%;t?pdV6k21=#wD3q{F}r;>%ux8@xQ400 zFgDSd(~{_UTO=zK*n1zlSauZG5siEK0ciGM^CfD?SL(sHRw*s5_xrtmrru9hr_t~3p80_ z)KElTPs8d&sAszdPeQ=^7j`HG1 zIvd?Jg9F3N#xG*tgfQ-jTyT3Mz_>>dN2Oap+qG@(-Yus~!vs&A@ELLF_w#;IKOsBz zipUl_9X;+9_JOfbmBFC#K1s>FJUzM(qiWF?u;-O#8l+)LwmNDhm7L5bXIuA z&bGVtKXEBXFr1EZbYQ!qQ!HS`!dT|`uz#^EFm0eLQlF)2Dw{q9FJD0h`t0)L{xURw z($_q;D^;cG!rx6x0A)&^&m8eDEGTkNPKvIu?@B$-S?#Vrw~Yq7UnZe1)w zmFJ1Yl3N~^zsq>qb2oppPP@`2Pe6PxGJsDjx_<}f5^DrQN8RK+*RAY3bYbV1X@i+` znRxTKN^zaft`s{EdnHvoX$)q(dV$v}z3T-A`iC~%k!MS=^TkFs8$@BL)aG&A!s!kj z9}*|4Yt6cz_#fQdig48%S;QL}7)T`RIRwqJ5ELU)RAaVVed`voq61S~_~@aXueH_W z>4ZqaLTLX8)VCEM*SrWTTz+0%>O9%Q4&73Ldh41|quXkocjb#GGMqFz$#jJm8@hlX z^QjlBf5SyHqpo)cOF>gKgR7P_IJu?$5X2&asN%=-<9jPstyL|8U+S4yj36?WkXyp5 z>`x_@ujIecM^PhxH{={98rY%Vp)wzQpWgDVl1ObwIB$^>UE7jK6pO*C!)8q(G>G@w z%@emW^W6IaH{WSv>~N6kR`NMGl&d^{>E~ffz%=2G%L-a+RrTXg4Q^Ofoq-lpwHG2w!F_=D0y*`KvH#v%u2 zo#k=^g_|ZG3EzE6eOjy(W@I@SRJ2Gih&f2`AYUUFjf;;C@?MUmD{EmXaRdtO=U8#Z z#S`sW%vqf|yA%=-_u6C!j#w}*SQ!rYn&RxmAM3@9?>BZW%JiawE~!>#gi+-U3{~bi zt@klMbI|7E#TIq#oR`^Hf0YoJ#e01>#!NQyH|f=TT+8D+!W_J%cZxrx*$F3 z9e87YRsVFPN+o(^TUeFFWPNFRvV?eo)t26x-Ht%llRJ^icvZ`kZF9|8@471@cE<95a<#xu~Ks`RtdhEE(^Ej*G62lV@ zd&7#(P=_&TT>c>H7bRIKM>xs`{&%VyJ7sdY5*?uPonn_2yqhw^KOyvxqwHRWohQdNyxgqd$i^JyLdi<{60vX3&c&*?Hpa(NJd4%#fi6KKzQ0J;Z(^h{VG%Y zrNV_nQ0T6&GNOU~(b8pEZ;x8wD9mz+ZSvYHvtZRkxRew>$N9>c&8Dp6#FW&C)LSVj z$&x|qnO-@r_9JIX@EV4F2=fH0YI16(xI`)lF?9=sZgCYcm|O@=5zc<5M0FZ;A>!1B zleS6v$jDBTm+RxmIKph?K^}7T4tIe1-m2LzLmna89fH`F!+l<^x?rs;F%6`mZBbaS zs`+d{--bX(t8Zw@7rDJmxrAn@yn$~V9^R4-F?gm3Vh*wPS{lF`pnu?ao$p1qt*vd} zUO=jXJ=C(yAbM8TIU&~nY0uLGU-0Z!+#2Z{?`J~;5~lE++Ss{TdxwJ3`m?EIl(e=J zG?66C0u-_WD>w@&swGSs=;y=uPy(-BpV;+t?7JkL&vs9Fi&%Xw*-mS9^o4Hq=v?Gh zdF*bz>1oEN5*%^zCAs2SaAKXs*yLd`|2`6joD#1NXZ!uQ&WOH0oasxdrbi0XjSD}N zrcoz8da64)GjaN9goTc}D^W?lzT0luL}~CJCq$*9(^cO-SKQ?m)?a%Sc&|;e7G-B0 zdoy5-Z=11$EXs9Zsbz;MZ!>$YcQ-rA5*k!(=)4Mc@_LkUdqPzxEj_P5O}+2|wW0>E z)cdQ#SdIo#2AFjfL-OSJ4MgOc6=+|3_UxO)DL45*2)Uaa(iV*sTdHccS~-79 z1$|k$7dASJVc2t~hG58As*%xv-u;UOO!s&6_Npi51$_Oua&Gz&SD?mZiVRd2hnOtS zJ%&nfyA5Art<&*gU}2$c2+qkqI2V)^7>JWcChS4NCClc(FTQV`zf|%z=B|;vyWOQ= zlGX8s97Qj?ld)$CE`&wIuZyuDM&3}}F@~sg?clDA82eqV+Y(1(D)(&R(TU_X-LmR` zHAW>6*`{ulo)B}6lG~s3(Xe7lNT&|Q#Ce}~icH5+0c@hgf_h0)Oew)+F~xNXQ zw^zWV*HYZCO?Qq2OYn+wdYAb-x2*J(@yA&=6-*|FxTud>XZSM(1Xs=xQW@w3Hfd>C zO5ExxV!cj!Gbr9U3A3xAe8iz-z)9^{iA{}T)&;+=nyeZZj5_agXzJ^LGvM(H6`Nj3 zjCZSA-`+ag5#zT+IoP|4!#nJrp5LnxGIY8}^U~@|T=1FDOA#ytr|t5yv+)a54f@T7 zmchlPX+h@^i!T>b6%is01tkWjaAjXjPrnnMr+Qp1`jKZ!Ucp;`XEImVgvo!0NhLHO zs{%inp-EnxN<@l`x#nR~W}}X@L7?q25o=m!=UM~(WtRrlJi6PN>~0Pj^L7=3ZV>Px zh?rL2sg_D&b>}^4aCGp}lE}lX>~|8Hh14JYGAFyPZAGn-ZA-6|cx$K}i!sU3#9{wBPo%+W7gv+4GfQh6^#t>kM{A#5R?H-*0ZO zj#8qpEV^0i{2DEe{ejrKwVE-ihSt!05vpRZ-JH$t)`biwqn^IB)sY68VQtC_*5R}z zW-l7T(i+F!2g12K6Siqti5_yH4LP`F)o&V@mlU{#iE<|M?iZyljCW6#7vI!LdH`~_ z4(U_9QJK0bA1~0L7JCTl_o>X~5o3NpWFQ>;I(5)}d-Dkq8{u}Q#2w2y@GVhS71lTD zbcEZ}2IsU>Qb4I*BBe_hi7&>cZ#|+gDQN3SJ!^A?gUAw-*(qBX-BWERWRGfxpeiOy z*lPk|0>fQjWPa;VnrXXYKt6KyVBBH7_1(Ch;0p>vCgm{hCsGb=MF=DQc`$L1tJOSJ z7N+#0FQp@;I%?&+!JsQ7?$L+ZFg@CtL3RD_*gWopsh?26A)8zQ@37T7aOHD}<8 zkphns_P{U6x|``H7gbA&lI)$iy0KRtv$8eKQ9JUWGv-ldf=G)ctft@s6-R~5EK72| zW$_dRN#Ya_$zUhRT)C()L8}(yK>GV!QLnDyo>G18yP3Kwa{lCMDH3BJ2lY6WN$M`} zj<4>--Y4VOdF+k7Al@C4v=O5-=~ z_JTdT-qb(1(-9Jd$JlmtzSReECV}{gOvI?khE`&M8Y>ZJot7G}%S%y>7W5Aa`E|V9 z8BHhil+Ia(F4zqtS6I`*bPN<`Mkm*$a62Qp<{n~Bu#kB zxYw@=2<|zE-B+#bc_uMJxZFA3Q@&9RtdpQVAD?*TKq$A6`4JQ34>NKPL3cjJc|L8p zGT)6h{Bi5wADko>atNXnpE?8;shI5BBDbV1fqfIILlAZKMhhT<$zj(&m?~X1J}cus zXsbvNTGv=!%KYm6b$0x5fZA}>jmq8IVcUNtFf&`^g!lOPVo=R$YOdegAaqBWz9*sL z&5M-{B{N=><)W5wwG#d)qp`V+PVF+?x0)9s<=ixYSp9h8@LYy|ilDO1WW3n{AAc1L zla*$Q<>G?QXm3meY2VL`CUG?CCv;9iH(MxJO!QSoL`rVJk&jWF`*oy<+h!*$uCYp9D z5L1eTwPdzSsuLN{XwF*foJ0Dai_qxD~;5i_E1Z=w?zimU<%L z3a2A|2*m?TlZiFhdW)3?AZ5iax$P4nn)ib;YV1(VFGY%H8kc}LFe&v^UB zwc3+tCd%V`6gU+u8Rc;ZM8I0Y>!qNOA_0EqyVx-)mm|HfgIjdQnWpDk>%!m-Eyn1J z(&w|1f*qV7esq^$vuCZQ2n1sX$F4GPjodBAO{N!(N9) z;g;q-i23;2Vm_18(~pG`2I?$u3>q(XzEzi3c3hJvT#qPBX)7*8x%`^hyVVs4M&>eJ z8`uvRuIQMqqH^3^u0IGF5VP5>&VrQt<(3baPYDD#o3H5G$Kr%=X_OU|c08ZsiGag1 z_xM&^Z`x!S#=gDX(?n}@r4<5!wAjahhg$1esp{oj6>O#6i|__+*`5PUXI>s|WgWP0 z_b@>}qx_s)>iDC_ojY2$gxU7NT~D0KHgi@Ld%dP%;|RHdv^NL_VP!n$GdT^GW+9~| zn0gB=v(`Nn;PaWu_Y_au3Y5{jhjUsiv%(}v^k9WQTEo0u{*eQY=5QFcTu3iqzxS8A*9qr81PL;q zb2cFt-lf8@8&7?$3|W-!8{tAf^BXY$@Ct9ckfyDGZanS%8bnq_#*-V zjRws=wjh$!hvHW$W2RX9WF$tL_S$xY>5cvJW_*SHc=jtw4)mrGes)$RR{f2PwRmd_ zm2F{d()U^>5+ZMf5MGHsn|2$jfeSB-Q0YUvPO$%zNU9zs@qY>8Kan5=Ow zxu>RAUE7aa@j1N|+TgI~OI$5{Vgg~iAyC)9 zmjdjp3gtxjfF{jqC&S%@wlzzhcfisL6C~<5AkOiYNj~1e6Y;sPw7`A_NRekMyQULJQJ6tg9G= zP^BbNLlpt3kwg$h0T)G03=l#OMF@myC<*wnXTEQ~**SB@J!R(n|IYo~bI&{T{@(k# zu4hs*<6O#JTD16_#-uNoJS0-0wP19V>M|;QPG{|ON*`rXvCGOM9fwWAck0KQbS+QZ z@2FkPo=LC_;|_v-D`I^I7)4&r3?yXVS}Cl}?w_gMx^JPUxeD_hX&))<&Zxa_p9QjG zA%VJfNeeBBvuQo^ax47?G;j2@n&fsGw;1rQ*`YiAhI}C@4y|7YB9~8n^=W!xHUTD{ zl}IiGPx`T9pNAd}PlwxY&3Cyy9yLIcVvN1m(F+L$!IPcW11_Vs(W&k(D{&aqQ|vqY zAhAXy){Z3_ZYq=iWDw|BCPcb&K11Y$bsUO%jM6z_i1TOtHpo??if(G}a@d&^Kl_uv zc=pE-8FCsS|24I)O8_dv5G3`K5yhFE7=-@7 z-%-tD>J#I<$J7IFz4BBI@u{SK*5!Wp<%6u7fO9eW#)(7t!QG#(fQ26 z=a^mbwCW3N7F`@-?coc@+FXg0%e`Ndw-74FHc0hB21FIHKb;gOJt-y%Rc)}FqGgP3 zQI+o@hC(lUirpC6;Gv&I?VVXaKN-8%J2b3}TUGQb97EQQ3pE8Ghpr&dxwKD{c z6l^pc4Js8^HP6C+{gbubi4 zOP-dp5qR<%_b5nV=8TRMGvQM4zS9sJ!uW`sP`WSyfaBu{jUde-C&>88(D;d7Z?%Gf zie3gUNbx{Rzi?xO<1x0PTf=7HoazIwAki7uQ{(M-NQj5A6z6zf19YEt1ybsAE= zrUIlkOU8+u%lds|E6VnQb*5kJO*UT_(93I&e3wRwX$o#mFkKrlZXQNiEl{DEeqFv|7-+q zBz$L<0P1lrs4)U4T?N~;taC_baPcABVKS{mYRAmiXJ5FGidG2FvLU!97N56XbQd10 zJzA{93c<4Uruh^6+3CJCEnFnqW#>@hTc0g9=Jz}a6T5@&w47~&TKze?`VR&S$~JzLs^zLi!)3-;_w`|iT5_zZN9@3oS5|3!!UpVFoOT#bd3!`}gG zG)551?jZIzSoudd^Ov2Z?|}6q-vKTi2TQ5%gMWcPuSDDl8+UKTZx}p7>}7XG=VF6R zxnwMN=DOnt;IbhaZxbpepS+9xo>3_Si&?!HnH=7 z`?L#r*x3E!?6_{x1FyY;)(55Ly+PAGx!%-qB>L%npFAHgYBcDC+%8&;3YRm#43=DNNLQdQJUHj(X{gm*sEH zS>TxiwEX`J^xv3sd^F~>&}sUZR9k|ZzgtJLGNe&6oI+W>-7JJj))60h?ftB_;N#6R zu7S6enS!gDrgC=Q0rgQ9eO-rQ4lVE02dbE#L5@)jIjm(9qkhi5vOYx?ke@y(Wnu+E zDC}c57G)J{@igv;yw$XO&5aWa!cA2YFF(kRzPTFFdg~^i1=JefS1yOp-z2I-w%n|| zyxCu_Y+Luzf~^ z(t>_lJFUYr@FI2>=D#e(VbT=b@LC(ivn=jbc)murs!krHMZR^ci?SKkQ6wvt<_y6# zA{ zeztYjlWu$?sy{G95b(#`pAy}0saqpnJsHP%xiYY^(1{zfyv|)%{d&mGj%embQ4sA()5^pe z3Yh^MP1-gH6zZOG+pK;#dE35E)UOM{e!d^4CG)7fDKd*H1)ekGVHfJ#Zbm?C?3PmS zmR0l=@GfcPqpN{tKlKyegB|m1$4rcGudsn6l`KRKB=*ZlzLn~G|F-_U1^;t~YMfyV z<(ITy1fKS~UeLIWzbn$vU&Ymd-wsXUPEQ8FSQpd#s}|j!539$}Whk2jML!brnl~?` z?GA>iB(9+q7d~2!2ByUFU7Hr12W|TfIlreg=;Q?kJy%< zd~s&#NZu`eaoCW9i zp7M{k0V?GPslRi*N)%3U<-!KpWJGQGsssi&j*m>y!Z`)XYf7gscFWy`B=q+e9$03JqYpg|#uvBWbAXD2Y3EWCauF zN=_08@U`!0xe#aI5kkNHBjx%c4Fm^FChQR1ICEW_{>xDtA=PV7?WW6GSh^-m_n!3h zj(2&bADOu8VK@(;wa>kLD$Zd6`j^}#Th=t6*T~gAsfeP>V}nRX-%dMY&R37I0)|4G zQ@ddaN{H;$+T&_(5|8oj#E)Zg2S;x6EB!p6-^WwMH?_8bjo}HLY%AJa6vvM``}rB> z5WIOaMzl?Pm+>Z7Q*8piN|mR2D(G8-@@rmLH&t_)0b;(@FSJv@(u275^18L-Z-l=C zAZ+(yhl9#tCq5ijJqAFDDIp5u8ruem4?ULmFs-WuAPAW1wZ!&0B4XN>kUXfEGNSd` z*gSs$MvrZngQg-MHpZDCnMKZ+f;lZU7d@9je7^vBT|=igH<+9&pUDY6eS(yDxVX7w ztFBWmHg;j@gU{3=BbN?IDr|7H!Jco`M4jQ!IAIAcDndWW&DE)f$&!6iI7Iyc2Mu#+ z>DA9h2)qi3QOe+deIt{Z>2z{KPc=x)iAo|%P31zF!wZX>9T_R;d= zN<|`7xJ)11qb%#Lnse-RwMj_W(kr@oY>jb_ zo}T~oYOBaa5n1_ljV~<=&aQ%-*+6qf=Ay1)JN{uUi#lD&V1U(EkAgXtM0p@@gE)m& zJ?$GxXgiyQy|Gr?2k>Ux9NfY4CC7QkF9B(cuVKoLU2j#fdY&`uTgeh=(J@x0GCb{y zt>s*Y$0!kLBfgi=kRG33b4tUdJ{{9npp%6M$kJ;9W1Nrb3`OH2JvM3W`>O2daZIPd z9wFMIc1wH%6$!!w&xN~jzf`b=T2w8=>GRcP88@HQ7^RE09)>~`%hM#O4x@Gx)O^B2Q={? z_o@Ea>-s|{>(E~ynjatYrzfImyMOGQhQ$9j7x!-<+20mf-~LYz{L}p~|AxKyPu>2* dqCXaHKmF%t_Yb@IFT6W{ZA^dH*pKH%`5&7dO!oi) literal 0 HcmV?d00001 diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_loginWindow.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_loginWindow.jpg new file mode 100755 index 0000000000000000000000000000000000000000..c91f8a0524160d98d06ea95ad5dc242c9623b50e GIT binary patch literal 9976 zcmeHMdpK0<+g?MF+GVRGwPly2qHLWMX?C?sC)q+OWy<*wN)Bn5wX5ApNg_gwN`#n@ zoEnoPA&0^YGnjIWF~(rdGi!bC(DC~1@49|}e1CL(*IvxUywAIy_c`46{l2pXZ9(5d zKkwSUb324lfFNh^1EGVE+8+Tx<#P{Re#xsZD`GFvf})HAq1Xqo{^KUt;co0F@LJG2qXqOL>aY zVuD33)!NhJWIpg2iw@=T?L z%Ci)o8;C2RbqYL>lStM|cr-8t^fdwMz`;Xq?jD|jL8pVy zT)24Y@|CdYTQRY>B8|G*fJ zFA$2vAaRVM!lX%xlP67@q@*<28-%PjY2nPtMoQ44S(~ktR~?&ua>|yoI+5!8?mEs{ zt&+32?Cn;+VT}*x*67}}p6m1n_g?OjwVF2TwmIufJ#{{6yT3eMTbF?S#(!TJ4|sIh zyy%oCFPpl@Zav7aXzt-HHMetJA9yh)_30~WFW)WbQfyj5C9O}e{C(a3zgyx-VhAb#Vd5HIRAKoA6*@WdXz7EQY~2bROHPl|~*G&NCV8uvRVL zHfv7GsBz9|Y4OZV7C3y&pI#(wEbx^GRsB%N5QQT87NXFaYa#9;^$`@3Jm3?%aeOP> zU~7mL3hjU^OBq6T%$UaFJmyvH~|mrcvJ3k6NJ6v)4il3Z*uR)KQ4(DEQa# zZ%O_I!~Zo6N{F?_9x&y+Y*h#(!bq`*hlXSYc2TJ|3gHPH=~bj!UzVVK2mUxJRBc0{ zStt}|UyQvfiyf{P%ok89KAO>rwZ)CyOXe4v=;^k%2RxQ2p4{JweOJePJ=T$Ux?R{XQxz zf;S2+f4152==t6PFIx;@ZQ96d#PQGc0$!sLsKGmIFQKcgXeF!Wecv0})A`36j@>Qm za!M%M8KHT2fxh0&(_MdUU;HrZQLN3)s_gAHe>C4)-)#9brQo;KyDryf$3gEgtnw=# zM8jIYmaOu^%sp$VV>#?^9TKN4!eygST@eZ~;5&Se)Os0DLsE@G2`TvrLLxtjOwvUm z{br_!hLvaw+{hkzC=|L48KLyDniGT!FroW33RTO3kN_L_Eh4xF9B7X_Ano_<@(fKQ zc~!x{EJmRKtaQ&EJT(C;Xu@&y5g+nF$`usyV0G+?kdkO{pA8D}Mp+!X0gyi{_!&u5 z%yUK7$>bjF5oIb0$!Cng6!*N5Fs$Gf3K=^*LZO$;Cp^xQ-H08FGMWL4MW61slPw2H z$Yb!OpAkfTN}?IdL!p?Y@hB(KB<=Sxk!LZUCXXpj9d^?8GkGVd zpV!C)YY?#I(moIbsDt@8bttCYM4?+^rj+#%g-FB*!do{)d{x#1*U~bLxyEd4AB!Rn zQ|{uv>=M=T`w0bXv)ROGcM4W>u;JA8|+OVIP}QB zDYAA)Q}&XE_Y3Je3tpG)TVK1MqA;9gww^{(FSOcMdw#Fp{cUpsr-seDb7y|chMXr` zGC6)~uKRW^x6Jv;i!hM2e9vqYa{W0j;5Y7H0rrgI<3iy?Q?pzVJy}|I0(Ngbe{VMC{RSurp^bL43moHQu2%NfMoq)aWaLCehKFT^{np0q%|I?r=0EEBOpB2-f;cBG_mbCPM82D zV>j3{s$TJw5AyYna|~i!SKMu8Xaw??48&>)){3S)?Wkgiv}zJ>UcBHMo~b`e<63mZ z&qtkaOfDqLnvpBBOSWl2dhc-^I|K*=#vocaOh%Rj-xKz4ba)3Vogiaa*U{yQ}>IaH#T?(gixj zqkp&MEze@zs&{=Bd)MtabZ_H@O@G#I85_`y_s_h3H=V9-yZEv9uZnOQ`9j{v_2uvb z+-Sf+z0^Wt`Fp8QH0#N_0H5lY4K5>z=kIh#I3CBt4r@5{o;WBiow}kmGQ`pMNX@pD zoyoD9IVbW}QlA$6k-A~Q`ga=^N7}V(KH7i&#pRp7zaSBbt<>jtnpnp+51g5sTvu*w zv(!Vd*qR!75HX+OqMLy&&#;)YrKx|PD|zx!u0u&O)MhU zH6DtZ$gfMMh-W<+8Fk(&2Tz$#2T;ys9!viv88-z{YIL`HLf)R3-(?w!JZM{lM6c zjG_1^I|eH784Tgnw~I1asnFcJUAxZAz{bvcm%07M>#Z~QCk20eDP0GPstkLpw8uoF zR1ym5!uq(L$CNS4+y${?P)HmK<&GlznZlw(V0=-F97~eXiZ6`3BGxeNTeD7eF{U9K zy?;?dp)34j9)_1RaYT{w&Ys_Eak1O#2P?RlAU72$NZwa-IBv#{rV9Dj?y-*8(^{1#t4T8(_;cnix@S>?lp^qdi+m z<~xb)Wdb3%AsO62BZU%snH)uC>AghX@=Av_PU2Ab1tQ}uIO0`Ka*&uJ*lu&?_^q4B zeE0(*kqrwt=^`FyT6Sr@bOQ>V0lxyuLolM+n2pp+v7JPggw_-sz}B+4G&NbYXMik?AKDr3_Q6f6cmk zBMNPLw%I_x=bbTW)9M=4iWvZtr zL^zt}$s^hyPZ|!1F@I0;_RdP6nLR2BZy$kr^T;cTm*tr1_*-pV>7*CKM4^hzn6vKg z&vI18tgW^$Jm54n1lO=s-(s;_gvCcrlSgI7+rjY07Rs-Lh0=qpHp)xwJCS4XtB}~u zouyv>RD7!7lCAIF!Is-~Pinji`^A;2R#D|XNgZ^1eV9!Txro<@xT)e0vumew#K++^ zjdQ~Pyx6eJigi7E=CuQA*5%0(6|U)NKGG^$s8NxW+m1r>2pU6sUkl3%O*mcV)ry71 z_uWIH*jkAtnVu!4Zcc$QAK&aQF7C^a5YF9Kzm{?O9IWvu^~%wEcV0QBWoMk5rPg$G zc=1UIhSl^yrN+%nIl-w5IY`(YczwQy)SJ<6*CJ6C-3OXx)>T?Ot1G+3TSh&yqVYG! zQzhs2R#gNlF&L)7vA#p8Y3bQ*+)`zq&f$Gd%O1o)%}Q>=KH|SH)YS8TrP-&h3W?Za zY$2W3X0NI~TuI?-DKh37MplYQz9xh>?JJ&|E|}h2fEe`!MZoju&xRJ=!_1)eKg*w6 z(M0xYwC+sXuv&i?lhBJ>HtoT4j;b_|7H(nwp^^HQ>5P3K%MvHu9?qkczJVzD=2VR%Cuo2PbQV8M*qQmfL zl3bDC3M}&^SdS_ND&y3jCX0}8SmWzEXtROFVbeMVDC7-BXn%*|fiMEWO3M-ke|#0P zH;o%aeeD(M*gg$~vakCyWL(OHsYczLB->e0hs6OxHo(k?td2VN& zoe`$z(x`uA%958i4CbEQOuej}Op)CrG=P1V{~U$tQ#*mS)6+V51rEt9=3o^6l9cmQ z83{F3r!e4vP{~176RZ3K)*Y^s9EJNDPs02a9D2P&vQ#`Qw4^H{IEErnj)bcyl!GHs z+s~ZOrnKs@wMEQ9RjJs=5UC)`U1$X%RTDl!v3(we6p6Zk?M;1ho&0%t!nHo9LnnZ( zLxOWH>Dr@|7H!d38%`D`;pfr*VJ@9P^3cM6Nru8hmQ8qeBdLEgE`@94Ve8AoerF<( zES3T2o664mN)E~6lcz{GKQggo>Gw;PppY~13AQivF_!w(`PW5}&lMcBW9BE3Qvx{r zosz9c(04UC(-BF-eN$Ks6ml$;J>q5QjC@z{iSbTj`(zg7pWN^x8;-Q$sz+3Bn9ieQ z;fack?cq5iYyCB+hEs}`8>?Ha2{y3Z((L3Hy}IJ*!mNrOcRl-ZTML8LuQbmU{`8!6 za1``G&t$&HoE>q^{?v;6GurNe8HbMvlpOaUALd?58qTctF=&dMg1s`NRTlTWTc8w} zy;S25Z#!G#D=X7eW||3&elg*h{DMND#i}CaanRx+c?mi47Ju!;Cs>UaB|jyA`K9D2 zM6{?tp_T%Qml=M?c=i!e4qpzp&s8a&QT(;&qy3*6n&t5oLEk}T9BrRM`Pxl~aTjnO z{1`j#Vvd0A_6=6Pv@IBg2qa@*%Tii${_b6`|4+GBCe@sMu5!$_0H_tp12zJ)JLwrx>VTAEtbA% z9)W*;-eYt^xG3}apN&uB!F@OziQw?LYtd6e6hQafg`z-~IH9Z$jw99SLTtS6uZ43U4JfehY1 zWh5c_V?yG=VO4mq+ha6h~5-5ZTtad!e%K<#1p^+t|0L~9IU`Hy)NtQ+Q z)}qkWekv^0kLbw<)lQz)O_Rk^M!;#fqKZvH<^+vS0pT~7OMcL{$ni2jCd>oW-vh7n zmE!h-&_5i8SCBxlA>0zmAQ^ntA|fj-!85dBfHiY~t8DEbwJmbI*s_LcNVStF5AGBP z5K(Aqm&hAr`B6c%7Ep>K1<$p(et2KNsYK}uGk~iT$PdVuFGMEcE>if`+O-KNq|pds z7usppc!4y3*Qg>%4B;L(fWRmQEH&WtssRLMUiuN~@|nlYXQZGBxwnzyOkrsv2>nGN zV($RT50zTLt$1*B#Yzt+F#rVJ;NKzu1P^0>Fdh5S7rDS@(ms%6(UqgFfbL@~ETUdH zLI>qO% z`w_b$KEd63_p%C~@S^An8(}7wcVg=hnF_}qQM|?`m*D=cbMjjqw`=@Vx zZ+dR}B8L5`Zce4cix*vcUR({5MhNW+jbl&sAOper8Q4;MR2Q+@_sWsAk&>y!am!9J z%fu32;mJSWRoDrdtE_K60(8QOT@bJ>jfzVZ;eLgXa1`Ri$v0YNf2;_cBaU-2xrw#Moq~B0WA4H?@}$4*QoH z(DqxKTSOwOX$eZFrxTFoc8%)6w~OAtUIP93ybtUSFi3)sjk&^0^ibN zU9cC0_8ci;lW#Uv>LBRq2V_mIyD!rYo{yt@N|_ZrDZ_3PAZ0lU&E+7sQHZ51C+@%R s{@+$2x&=FQF-L03=5fXTo)n2HI1C!T3Rj~0A7F~@M-i@E&(YTZ0cpd{g8%>k literal 0 HcmV?d00001 diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_menu.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_menu.jpg new file mode 100755 index 0000000000000000000000000000000000000000..2c9512571bf9b2c2bba827bd5e95571174c8c492 GIT binary patch literal 5682 zcmeHKYgiL!7XFfO)m;&_)oL}1)M~riT3ah>3sb9jX}e3k)G9tETQ60Y?PgIZN=Qbu zf~{Mk(hAzT@m3L8q}n1Xgi)}>YAY(pAk+j5$|cGqK$wtZ=G!v~)PTC{&;7BJhbLs_ zoAbTrecyA=46ep?Xy98j=gdSRF+wZggYaDxJR^R2%mySvK1eu;a4Q-xZG~dlO0?oE zoDtz#^a&C@{vp19NPa!KZx@S1a25W3z3{mI;Ik+=06i^Ak%)qkI9MbJ7UA=v0|3xZ zED^z1_u(Jl=j#(F=_eMU{&3n)0z3CyLvTsrFAfj|qJI4cBC$x~Ba%o2EMmXFc#&A* z6YM+4FT{WFXcRDE$h4P3p9q}$=93>h^UBb9vB|@h?HDtC|8dK+6W8{8>fF^=$JWoE zw8^^jz>Ed!B4>upT0ZW*h3^kPQF858+ltL`>7T4T_+4p*>AA@tw#Pp|W$NrXZ!KCJ zy=wKEzkHmqenaAxl+>-Ce)h$eyD~C&?>Y3%;jAOsN59WMS#av~ne#uC=`Z|vvGRHq zU45gb;r5-zrskFoTPJJpazNrDiP*-`TWf1I-G@X4~OJDsZ%QZup& z^mHRTd(rCkTQiTGx=`I@pE76hnhl@s&OZI)jpnZBr@j^am&DKZ96fWfrp1A4&~HE< zaj+y95vcmLH3?alq}yv}txhNoZD2l(J3RQ*q_nELN&fR}Wo7n?JvDn(1qEt<=~rhz zN>rVzp`?XFlUkF?Uis}}@yZkVi^tVnTv>eQ*v`#^BVUbpe(Rc*mulmxcKrPMPW!Rs z&-*3sh(-%6xsw~yCda)!seWzx%QLh04SHo>tY&TnM%JKAg567nkR8#kF%GhMv~xZe zT|=gk>>-TyO^spq8ZCNf5a&x%Ta(UVRCKSaKSl@W`tca89k0V^;YkhKfD!XHMsLJ3 zh6J)i`z=OSmMZP3KS`aJjoT^53+h1_v7?=|EoKcr1tUW`ztL-;>l>j1r?9l00>LAwLYG4*<^@wg)fO5uG#!qb0m`r~#v# z*P@(l-H=)4HL5;M+k3e?J&amsvP?_WRoM^5kV~p4LdPgmKFtz(pnU>2Hy|6ClQu$40qrB$v-*BF}K{-`B-c6 z65^rBWngrAsFCU;aCyC^Q|joSM-J@TjM0YLwxJkB=9S3HEBM|B_HS)?xCA+ur(Ow@18egt(t?SFM)(b>CMiZejOc=fJI4G=vwWTkMxr7 zCPt6YPwrYESNBG3v}D~SI)=)4Aek3PCfIx3CCA!U^(whXNd0&bh?jHrBFJH$j}oEXN(gqRxC@{!G*vHs|3i6Vq!AE!x+;+7 z?yA~SX>W<|2VUGKa6fe^M$_WEJ6go_B^U)mX@J?y?v}=N{c3mP9*=RJ@*V$jFhs9r($m!qL}PFyC&=sF*uA@-)N2sAF+fj!p!>NvrCrl^t_UW_ zNFC)R1Mkg&S66?a{}%E?`t(#@+uk#<9t`|k_b7CEkHT>nDeXe!+$?W$glDc@eCB2B|xFgD!^_hDC&9`UA<_}ysuN)pm)|F&GQ#|7ILZ4i<-=C*lLl>`9 z4yP~fjt?7=GVAE!{C8(b-~DZ*T79s+`8~_QzxLClXa|k88h^HG_OH|x7yl`zMniUn zb>7Tv-L|@_D0o)e$mm5eq0;72|1h$DBu$wZ4OW;j8r_Kzo#aq7J6QG|Qa`>cjJv~g zHbYk4`jJZKVZx-9TI6a6qm@~vGR{MUaH9-{oJygDY~gIg()IU3FnXFYgqzKpJXmHH zZp(1$T^eI?VIy5MK*v=`t(UkIEnDSq8eunf#{LoYSmJV z;`FYy7(v@q>2)fy9B{;Q6>|F>qCsoJs9JfWSXioECF7el_S?KPi!&R9eTu)1Hwr0C z=)h>co>C>qEaMX0STcDkO7CwhKBbA!)p-_;XEl(xS!txDGF=@Yye74lyND?++#(RCX8HYE$7jTH_X)0){}r=%5-*hQW4tj&DlVYqvg<1wa2Eks+F;F2jP&EP?BsF&YbWc@3~0`5?4(LN zc(PU%?lc!~FdP3QK%}-(20{;cyq?Hz4EIP2nniFnBajsIj*S*vlHr6#zuweaN3Wkx z^H+e|W(Ck4Ycm^s6B*Dx*viH6u$N{x&}cT^oFKTP3hp`u1PXbBz^?wW7!CKxj^eM@ zOy{SNa=ngo>zx41XX>2_JFQd2wgCZx0|W<|;6nl_W-wKuAb-P@0uz@?cjG(5Hz)Hg z7^Rb=JZb!@wc63L0rozYR^iXlyp=I7Z8sbI!9hXxM&8O-gAc%!$!$GoX%io6=*Bw| z+zeLTN!DWYEqgpkmB=R3q$eu_(V*^72+EoB+urhbAtRUd3o! z_yD=j-*dvwF)1g8P#L$h`cwy*)AGVTD8mh%BbIDB>c4N~Q^Q(fuKtVnp<4VMRjeXA zLKjn_UrLJQhqno^nQXIRU>^8TB)3Vp0%y5SH5UXMXf~exf?S5t-Ee0MwMu45gvG|BKLRYUgzyh+8 z)G67@J@Hh)D4i>is2o6)@}aQ8VatPvq9`E=sPjci%b9RDg86_z50G;i;{s49l}-yJ z0*D6ET3lv$;Fqzv_C=6MI`;-fA3;%NhsTtd z^Xh)j?+fabTBDSXgLF{{O>N9`B=b5-&nXf;XVQF$O0tM7+sHCU!~Z&CDr4`5(GlrA zowH@OSq9ISVvxkC@Ff3wJX7bUPT24#8x;V*=h&xpxkx!%tO8E*qAh1w%M${DwPdl& z$zGSr3hD=VC@CV(FR?--kRXIk2_!3nIt^~%)7>OX92^0bSk4&dCDL2c&h&_8g!(vS zV*=(M!zg*IL&GNXQ22)&!uGUf3{mZFLZ1WQ{{)(hmLV9;<*gWnLPkV}8xW{8moG6g z!0x;leXf0JydWZ^#p;_Ga)GcNcti_{wuU$TB82JA6C)w6jR^wLCyXd@aza{`*@wl$5&A=D&R8Y_86)|#2LSBgZFBTIu)d8 z61>M&ApSKzryVM5{_uw)1~&wLEL_SD!x^R(G+Ngn>S)qGf>IO z%*Ov;{XZN3%ij3roa_C2Ipnnj*W^aWN7hpQQkVlCRZ|Li7c`BCTSUh}{u0Fo@v#K= fB6$E_^PL!VXn3A#4Pw)sUpb|QJhk~IiEsQHnySyG literal 0 HcmV?d00001 diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_workspace.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_workspace.jpg new file mode 100755 index 0000000000000000000000000000000000000000..292d25654bdb690fd67b05bab161168aa66fe990 GIT binary patch literal 23580 zcmeHP2~-nT+nxYIU6Hy_7szL+Yc05fq7W4o5tS+;qCzZ-$X;#Hc|EY8XW|4Eh)o3j|bFP{e>g zZx5Aklt(CyR2-#%fkuPN%8H=pclRK0OHoDP8_Y;()adb$0!C2@qo^pAML~Ha0i&R( zq&DJPo*dUZr{nE-p$Nmsv z>)fPmS8XRR9+~>XgHoe|o$9rRm&^<`|IThLFE(w~(ka_@*V)e=<$2`%dM~NG77m0R zdPk4R1n!P{eg=0kes}Vds9| z;K&C|7U4Yojk}!vLZXtg3M*Ut(Mo6xaF2qTq8fyQs&rgY zsKTWPg@U7fQHZ-WH9$o1av~a0`|0tW6NwSG^}@0H>(eSi0@5=QZ^ngR$K~+D0w%Aa zjr~KP>umQ+a<#$fifQ3vEY{TNHjW}`T`u0Nc045XP_R))&U00Su5OA#^hw={D72Z= z%|)TiYwRq(4GKA)j7OoS5aI7Al+Y{Wqfk{Tx0;xu(#YSaZZ)nz=x4vG^$Z+AriV7C zIWdw7>J8&nuk2Ax4(j1|ew%p zg;r750t@SM_rfhXfdMGQUqa;DaM*1;FPfN#Ux4eWp&6o(D9S)YA#mk#4;Kn@d&}`X z9Lo4-;H0JA!~eMeg)Y-y_c2U$Dm3iQRa>3fS5djt0EKv>25f$|a#xL2;j1|drYSmf z(9T+0Gl;u=z1P>p>~r<5%4b+O9volxaUosAutwBJ5D8fRssVH@8HgUD1G* zt#FMhDD*@}auCp3=~@=9Z&w!z)y=BGiC((m0hMB^^D1^z$3_WDS&{Qeow+Yw8N~DM z2?Kg`8?G4v8rY2W`!o9r28T@=hB#vEB;6k0Q~60hx)#v)H88J(z!jLE2sEWF$D zrr^@~%x`@|ZxIp_6mr9swBD-RPQ5}|rSjCf85>fqmuqM$z9C%P)$P{XQG6a_RS^)O zUWh_bw^McP{5sk+pT!myl+!dsiW8^{7Iuu~WI5S=S91MMYUKQ#Nu?%6Mxq8C zwpZhX5!cOgW;>qi?a`QgBIWXpXX>7V?#J6Xz7YSx48r#g>E{Tt^|C5ePyN1wOvQpj|E{P*YE%cCPpH5hvc3F1W3@Zm#f(% zpq)h_JrF@1NKP>Qxio;r^SVhWl%-We1Fz)L1Z6Op60nZWgJ&S_IY^Nv2wUW@&ULW`M+jc{A#tqe( z4|Epb>Ng{SIlbz*JaLc^MEChbGbAtw1a}?MC0Ozt;frYQC|eF`pc(f|wD_F1>_OUot{n{8@!4W08l9Oc52n_SVn1>{CjB>}{xT2R9tz+mGP+t#9kA2EqOV2r!2Ofnh3Z zECc*7fGmZ;$B^hw8InKf8O#C(bJalC1N7I+y^)FNG~h}=Ds5K@clQ{ARNCLa9wgX7d|I{0rxSiV z!f~G?pm%;7EZ)!|1bV0cG6|%fFvA%jf+2CxgEiZ#nM6`0{cO{6VOEgm?}F zwxQ$vGkOFLHs25y`hctk4d5ZoJ|L?hF?ukXKL7z`Fq+?KYo+_8fk;ZZZ?W=zxS2{4 zJ4qul6H8pY*+toeap}`NO}gn#^Sg=*U6DEJ4SOutt#qDG#hE$q@ma~ytAcOGL`9mn zFKt+u;u)<1&<~LVgW0-0&NY;-F{cM^svdPuui_Sh((7>-Q9~i+^*MLz|Y+85Psg*anU1>S=CV?r=FgA z^1vv>G_&%Nd+YPGE?N zjW=D3ugs--H$G)F>4kUQ_jloTlnF$4^gtRzXVRC5PNwM{XK?gahSxtyDtmPHS-Hha zBQw)6CpN1&Zp>OrmS#!~>PRM-#y7{hkwrfpf_W1>u##3?9Z)z3x$do8BkTmnB99n?y&@K}$nZB3bX)StBd9tw?e=rB8HU{*@>!InwRrFyfifA+#3 z;9GhUJnY4UX41K6oow1&@{hC#OOxKl%96bzwu8qdO&0Q|DbTFkeV5;pIZ6IuzBgih z$DB5^T>FdX!M5Am=59KSNin9F)CDV^BUf-3x3~FgJ`qQBn7yfZ74S6pfzNSss^JFl z&IF-bW=8I4SFty134R<^n(a3%%*Z0%(B)h7?(lSIYmYzN(oZ3ech%pROgfX_=#to4 zHhcc|PIJ}T8zmZH9{L=?oDAYcQgf7MIqI| z{!|V#TPMN>(R_dB4U-lG2hjp{a%$9zKr?I^JD1YL%+}74zKafS^m1xO_Hfvb3VJjp zy>`h0YofpxiIJZA;y|mF@ML6yJANfemwN{j>O;Jc-JH?FOtW6@z5+RvW33R9Pz&>I5Fr%yD@r>luac>|7wZ z$`FgaGb?OJm0D&%a)!*0z{4oyCbL4In$$@WQESky&RihPugH-BPfGobMX=o5TuHA~ zI`9gaooQs7K@Hz(FytAjzbU@>0Vse@WT=q&8=MZjcA$xInG883nMJj)+9y_?$KrQ{ zOljGll%(bsuvzKb4L6a;6j}hDE`47xpU|dJ(ao=&X@>XW7rM6!&R1Rd=_mJ+jxDF! z+-g(PSmw7gimm3m-qn6|wL*AnrVWQ9uIklZ^j%U=;}qMQ3HFJ{V=QKco!n6DU*fmx zw-Jz+Ei%O`rBOiQ>FoDv@)lodCx=^?UN~i%d+*3ye#)C_p<7vQ`ox|(nnwCu{(8%w ztf?8gn7JX(w~m}@HfHnIpSfG-Cv$)OHtnXW79(!b8bfOzYN8lx*gs7|0Z=UF3iYxK z72&*qq@0MnvM!2H-(9H;UlebaZzh_Fuuv#339+S#HQBQQuCyR$W{bgmO*jIDQfxp; zbxyP+Qe=Y{uVsPxo8Re^phO#+Q{{Eh`SKm{L+4JBi?4fycT@Ko1TSLGKKg3KVnUy0 zTR`$3y7;cR8WDZ=i3%cC^{$@xYlPdbL9;#^GbUh?#j1q(bK$x#K%toso$kZVi)kRc z?(oJJ&@T|L{g{@{GCI&cUt-+VFKk+!nbBcn=gr;j^GunnmbDP4IY)2oWaTYY%{k=g zCv`94>=s*0^FF@vw88fA!8xq0ob4KzWzVi5){&dwZFURDYRJ~w#4OwhX0&HY!()F< z#QwYDW3zBcKDfsvEN1z%>pvO2c_!|9;LUBJFWwRxe> z7cG^zppapcwDb(JbVpEoCed8nbK<}x+NGa~1kk0WY7}}#N1CvKjB4TrPyk@|Qp6&% zw6YD#J!Hu8}AZG#5SP<;js9_rT{ zJVW*Q&j-(!pzV|D49`7-x!_CG`Pyjvs5se93_>N$5Iz0fx)darUFFA#6tQ=@VD^?eu{T5v|$%$E|pBSFKzs-@)bQ3Rp>Na0P(=oHZV6R=e)hWh`y^YRV30FfC?1QjBW+nY*c49Wk z1{$X^5cGAm*{8AH`nX6-L|YjwExc9|tN_Nl z_WM81g75J%1NRYJf`uSCF5jDI_(MvL%df^ka$J5zBA4S*j?4eXzC(7@fuM>p!y4>^XTx`ZR3%qRU~csp+DWlSwP0T?sW+E$u?A8^i6A z!y1C45u>NcynT8;j^HpC@BTXNyOMI<2Ds zha^fQ-9f6e7LUPkm*s*Vg}0dY(7^XRxzh11US@gUO!Q1A2!;B$Np!&WT@+~oghJyc zbxuIKPlAuWkP9?Z6zX%4rUmlX%Z(#Pj(k}CgGoVTh@a%i?pS=C2s?_S*cLeIiB=Rk z$vWxI2m9%y+=v#(9KWVRdbRvi0yeoXV27>q9>V&Lnn^4l`&y1mi~5g|S2hMW0IuG^ zIdiY5=X(A(-YKFdwe$3lzalhwA=H7m)5e}itEYhd!J4zGu@Vp2CWo~ZxpUzH8}J!$DIp8j z&mIUZ>HgbL=u8d?gANODvo77gDEjToU}{4Pjwd0@O9Os!s5M8-Hqcyo#$<6vE4i4 z>S3#Tlht93VcBa`2_3ie+L!{LSFEzWn$hs_(}sZ3_EnR4PKhY=8@7>+Xk#03t0i!) z1bze<(?SK@BZ7Mumm`P3hKuzGkt3n-q?<7MJX@+N zW8vl?8AJCN$=JJphKwsE<7GsO1jAC2MWMC00S=ZwE8Vj9Z?ctX&PlMrT?k$nicN-J t<2b;Jj))d;p5@q=IG!!okBCGRg9%?=gqT?h*Wl_5z_+T4rEWwk{s+Eb*W>^I literal 0 HcmV?d00001