This change includes two additional CSRF lessons. One for

by-passing a prompt (showing why prompts don't work).  The second for
by-passing CSRF tokens when XSS exists. 

It also modifies the existing CSRF lesson so that the lesson
can be extended and used by the two new lessons.


git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@386 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lesson_plans/CsrfPromptByPass.html

@@ -0,0 +1,32 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b>CSRF User Prompt By-Pass</p><br/>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+This lesson teaches how to perform CSRF attacks that by-pass user confirmation prompts.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+<p>
+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page 
+that contains a 'forged request' to execute commands with the victim's credentials.  Prompting 
+a user to confirm or cancel the command might sound like a solution, but can be by-passed if 
+the prompt is scriptable.  This lesson shows how to by-pass such a prompt by issuing another 
+forged request.  This can also apply to a series of prompts such as a wizard or issuing multiple 
+unrelated forged requests.</p> 
+
+
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple 
+malicious requests: the first to transfer funds, and the second a request to confirm the prompt 
+that the first request triggered.  The URL should point to the CSRF lesson with an extra 
+parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the 
+left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever 
+receives this email and happens to be authenticated at that time will have his funds transferred. 
+When you think the attack is successful, refresh the page and you will find the green check on 
+the left hand side menu.
+<!-- Stop Instructions -->
+

main/project/WebContent/lesson_plans/CsrfTokenByPass.html

@@ -0,0 +1,37 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b>CSRF Token Prompt By-Pass</p><br/>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+This lesson teaches how to perform CSRF attacks on sites that use tokens to mitigate CSRF attacks, but are vulnerable to CSS attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+<p>
+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into 
+loading a page that contains a 'forged request' to execute commands with the 
+victim's credentials.  </p>
+
+<p>Token-based request authentication mitigates these attacks.  This technique 
+inserts tokens into pages that issue requests.  These tokens are required to 
+complete a request, and help verify that requests are not scripted.  CSRFGuard from OWASP uses 
+this technique to help prevent CSRF attacks.</p>
+
+<p>However, this technique can be by-passed if CSS vulnerabilities exist on the same site.  
+Because of the same-origin browser policy, pages from the same domain can read content from 
+other pages from the same domain.  </p>
+
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains a malicious 
+request to transfer funds.  To successfully complete you need to obtain a valid request token.  
+The page that presents the transfer funds form contains a valid request token.  The URL for the 
+transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load 
+this page, read the token and append the token in a forged request to transferFunds. When you think
+the attack is successful, refresh the page and you will find the green check on the left hand side menu.
+<!-- Stop Instructions -->
+
+