Added a lesson for the CIA-Triad in the general category explaining the three elements of the triad.
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							0529289f6d
						
					
				
				
					commit
					d2a2716a9a
				
			
							
								
								
									
										11
									
								
								webgoat-lessons/cia/pom.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								webgoat-lessons/cia/pom.xml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,11 @@ | |||||||
|  | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||||
|  |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||||||
|  |     <modelVersion>4.0.0</modelVersion> | ||||||
|  |     <artifactId>cia</artifactId> | ||||||
|  |     <packaging>jar</packaging> | ||||||
|  |     <parent> | ||||||
|  |         <groupId>org.owasp.webgoat.lesson</groupId> | ||||||
|  |         <artifactId>webgoat-lessons-parent</artifactId> | ||||||
|  |         <version>v8.0.0.SNAPSHOT</version> | ||||||
|  |     </parent> | ||||||
|  | </project> | ||||||
| @ -0,0 +1,39 @@ | |||||||
|  | package org.owasp.webgoat.plugin; | ||||||
|  |  | ||||||
|  | import com.beust.jcommander.internal.Lists; | ||||||
|  | import org.owasp.webgoat.lessons.Category; | ||||||
|  | import org.owasp.webgoat.lessons.NewLesson; | ||||||
|  |  | ||||||
|  | import java.util.List; | ||||||
|  |  | ||||||
|  | /** | ||||||
|  |  * @author BenediktStuhrmann | ||||||
|  |  * @since 11/2/18. | ||||||
|  |  */ | ||||||
|  | public class CIA extends NewLesson { | ||||||
|  |  | ||||||
|  |     @Override | ||||||
|  |     public Category getDefaultCategory() { | ||||||
|  |         return Category.GENERAL; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     @Override | ||||||
|  |     public List<String> getHints() { | ||||||
|  |         return Lists.newArrayList(); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     @Override | ||||||
|  |     public Integer getDefaultRanking() { | ||||||
|  |         return 3; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     @Override | ||||||
|  |     public String getTitle() { | ||||||
|  |         return "cia.title"; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     @Override | ||||||
|  |     public String getId() { | ||||||
|  |         return "CIA"; | ||||||
|  |     } | ||||||
|  | } | ||||||
							
								
								
									
										21
									
								
								webgoat-lessons/cia/src/main/resources/html/CIA.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								webgoat-lessons/cia/src/main/resources/html/CIA.html
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,21 @@ | |||||||
|  | <!DOCTYPE html> | ||||||
|  |  | ||||||
|  | <html xmlns:th="http://www.thymeleaf.org"> | ||||||
|  |  | ||||||
|  | <div class="lesson-page-wrapper"> | ||||||
|  |     <div class="adoc-content" th:replace="doc:CIA_intro.adoc"></div> | ||||||
|  | </div> | ||||||
|  |  | ||||||
|  | <div class="lesson-page-wrapper"> | ||||||
|  |     <div class="adoc-content" th:replace="doc:CIA_confidentiality.adoc"></div> | ||||||
|  | </div> | ||||||
|  |  | ||||||
|  | <div class="lesson-page-wrapper"> | ||||||
|  |     <div class="adoc-content" th:replace="doc:CIA_integrity.adoc"></div> | ||||||
|  | </div> | ||||||
|  |  | ||||||
|  | <div class="lesson-page-wrapper"> | ||||||
|  |     <div class="adoc-content" th:replace="doc:CIA_availability.adoc"></div> | ||||||
|  | </div> | ||||||
|  |  | ||||||
|  | </html> | ||||||
| @ -0,0 +1 @@ | |||||||
|  | cia.title=CIA Triad | ||||||
| @ -0,0 +1,22 @@ | |||||||
|  | == Availability | ||||||
|  |  | ||||||
|  | Confidentiality is "the property of being accessible and usable on demand by an authorized entity." In other words all the information should be available and accessible for authorized persons whenever it is needed. | ||||||
|  |  | ||||||
|  | {nbsp} + | ||||||
|  |  | ||||||
|  | === Examples that compromise availability: | ||||||
|  |  | ||||||
|  | ** denial-of-service attacks (Dos) | ||||||
|  | ** server crashes | ||||||
|  | ** even fire or natural disasters | ||||||
|  |  | ||||||
|  | {nbsp} + | ||||||
|  |  | ||||||
|  | === Examples of methods ensuring availability | ||||||
|  |  | ||||||
|  | ** intrusion detection systems | ||||||
|  | ** network traffic control | ||||||
|  | ** firewalls | ||||||
|  | ** physically and geographically isolated location | ||||||
|  | *** fire- and waterproof | ||||||
|  | ** hardware maintenance | ||||||
| @ -0,0 +1,25 @@ | |||||||
|  | == Confidentiality | ||||||
|  |  | ||||||
|  | Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality means to prevent sensitive information from reaching the wrong people, that should not get access to it, while at the same time making sure, that people that are allowed to access it, can get it. | ||||||
|  |  | ||||||
|  | While being similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers. | ||||||
|  |  | ||||||
|  | {nbsp} + | ||||||
|  |  | ||||||
|  | === Examples that compromise confidentiality: | ||||||
|  |  | ||||||
|  | ** a hacker gets access to the password database of a company | ||||||
|  | ** sensitive emails being sent to incorrect individuals | ||||||
|  | ** a hacker reads sensitive information by intercepting and eavesdropping an information transfer | ||||||
|  |  | ||||||
|  | {nbsp} + | ||||||
|  |  | ||||||
|  | === Examples of methods ensuring confidentiality | ||||||
|  |  | ||||||
|  | ** data encryption | ||||||
|  | ** authentication methods | ||||||
|  | *** passwords | ||||||
|  | *** two-factor authentication | ||||||
|  | *** biometric verification | ||||||
|  | ** minimizing the number of places/times the information appears | ||||||
|  | ** physical security measurements like protected server rooms etc. | ||||||
| @ -0,0 +1,20 @@ | |||||||
|  | == Integrity | ||||||
|  |  | ||||||
|  | Integrity is "the property of accuracy and completeness." In other words, integrity means to maintain the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and it must be ensured, that data can not be altered by unauthorized people (per example in a breach of confidentiality). | ||||||
|  |  | ||||||
|  | {nbsp} + | ||||||
|  |  | ||||||
|  | === Examples that compromise integrity: | ||||||
|  |  | ||||||
|  | ** human error when entering data | ||||||
|  | ** errors during data transmission | ||||||
|  | ** software bugs, hardware failures | ||||||
|  | ** hackers change information that they should not have access to | ||||||
|  |  | ||||||
|  | {nbsp} + | ||||||
|  |  | ||||||
|  | === Examples of methods ensuring integrity | ||||||
|  |  | ||||||
|  | ** well functioning authentication methods and access control | ||||||
|  | ** checking integrity with hash functions | ||||||
|  | ** backups, redundancy | ||||||
| @ -0,0 +1,7 @@ | |||||||
|  | == The CIA Triad | ||||||
|  |  | ||||||
|  | The CIA Triad (confidentiality, integrity, availability) is a model for information security. | ||||||
|  | The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. + | ||||||
|  | If only one of those three elements can be breached it can have serious consequences for the parties concerned. | ||||||
|  |  | ||||||
|  | The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system or/and organization. | ||||||
| @ -20,6 +20,7 @@ | |||||||
|         <module>cross-site-scripting</module> |         <module>cross-site-scripting</module> | ||||||
|         <module>html-tampering</module> |         <module>html-tampering</module> | ||||||
|         <module>http-basics</module> |         <module>http-basics</module> | ||||||
|  |         <module>cia</module> | ||||||
|         <module>http-proxies</module> |         <module>http-proxies</module> | ||||||
|         <module>insecure-login</module> |         <module>insecure-login</module> | ||||||
|         <module>insecure-deserialization</module> |         <module>insecure-deserialization</module> | ||||||
|  | |||||||
| @ -130,6 +130,11 @@ | |||||||
|             <artifactId>http-proxies</artifactId> |             <artifactId>http-proxies</artifactId> | ||||||
|             <version>${project.version}</version> |             <version>${project.version}</version> | ||||||
|         </dependency> |         </dependency> | ||||||
|  |         <dependency> | ||||||
|  |             <groupId>org.owasp.webgoat.lesson</groupId> | ||||||
|  |             <artifactId>cia</artifactId> | ||||||
|  |             <version>${project.version}</version> | ||||||
|  |         </dependency> | ||||||
|         <dependency> |         <dependency> | ||||||
|             <groupId>org.owasp.webgoat.lesson</groupId> |             <groupId>org.owasp.webgoat.lesson</groupId> | ||||||
|             <artifactId>idor</artifactId> |             <artifactId>idor</artifactId> | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user