Grammatical correctness. Updating (Aspect) wording.
git-svn-id: http://webgoat.googlecode.com/svn/trunk@74 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
		| @ -3,7 +3,7 @@ | |||||||
| </div> | </div> | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| In role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow obtain unauthorized roles.   | In a role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control scheme normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow allow privilege escalation to an unauthorized role.   | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| Each user is a member of a role that is allowed to access only certain resources. Your goal is to explore the access control rules that govern this site. Only the [Admin] group should have access to the 'Account Manager' resource. | Each user is a member of a role that is allowed to access only certain resources. Your goal is to explore the access control rules that govern this site. Only the [Admin] group should have access to the 'Account Manager' resource. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
|  | |||||||
| @ -7,4 +7,3 @@ Basic Authentication is used to protect server side resources.  The web server w | |||||||
| <p><b>General Goal(s):</b></p> | <p><b>General Goal(s):</b></p> | ||||||
| For this lesson, your goal is to understand Basic Authentication and answer the questions below. | For this lesson, your goal is to understand Basic Authentication and answer the questions below. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
|  |  | ||||||
|  | |||||||
| @ -3,7 +3,7 @@ | |||||||
| </div> | </div> | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function listed in the web service definition language (WSDL). Lets learn something about WSDL files. Check out WebGoats web service description language (WSDL) file.  | Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL). Let's learn something about WSDL files. Check out WebGoat's web service description language (WSDL) file.  | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| Try connecting to the WSDL with a browser or Web Service tool. The URL for the web service is: http://localhost/WebGoat/services/SoapRequest The WSDL can usually be viewed by adding a ?WSDL on the end of the web service request. | Try connecting to the WSDL with a browser or Web Service tool. The URL for the web service is: http://localhost/WebGoat/services/SoapRequest The WSDL can usually be viewed by adding a ?WSDL on the end of the web service request. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
| @ -4,11 +4,11 @@ | |||||||
|   |   | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.  | SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.  | ||||||
|  | <br><br> | ||||||
|  | Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br> | ||||||
| <br> | <br> | ||||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.<br> | It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries, even if the threat of SQL injection has been prevented in some other manner.<br> | ||||||
| <br> |  | ||||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br> |  | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| The form below allows a user to view weather data. Try to inject an SQL string that results in all the weather data being displayed. | The form below allows a user to view weather data. Try to inject an SQL string that results in all the weather data being displayed. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
| @ -4,11 +4,11 @@ | |||||||
|   |   | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.  | SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.  | ||||||
|  | <br><br> | ||||||
|  | Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br> | ||||||
| <br> | <br> | ||||||
| Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of SQL injection.<br> | It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queiries, even if the threat of SQL injection has been prevented in some other manner.<br> | ||||||
| <br> |  | ||||||
| It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.<br> |  | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| The form below allows a user to view their credit card numbers. Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of 'Smith'. | The form below allows a user to view their credit card numbers. Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of 'Smith'. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
| @ -3,7 +3,7 @@ | |||||||
| </div> | </div> | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved. | It is always a good practice to scrub all input, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere in the application. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| The user should be able to add message content that cause another user to load an undesirable page or content. | The user should be able to add message content that cause another user to load an undesireable page or content. | ||||||
| @ -3,7 +3,7 @@ | |||||||
| </div> | </div> | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved. | It is always a good practice to scrub all input, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere in the application. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved. | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| Tomcat is configured to support the HTTP TRACE command. Your goal is to perform a Cross Site Trace (XST) attack. | Tomcat is configured to support the HTTP TRACE command. Your goal is to perform a Cross Site Trace (XST) attack. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
| @ -3,7 +3,7 @@ | |||||||
| </div> | </div> | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function listed in the web service definition language (WSDL).  | Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.  | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| This screen is the API for a web service. Check the WSDL for this web service and try to get some customer credit numbers. | This screen is the API for a web service. Check the WSDL file for this web service and try to get some customer credit numbers. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
| @ -3,7 +3,10 @@ | |||||||
| </div> | </div> | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function listed in the web service definition language (WSDL).  | Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.  | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| Some web interfaces make use of Web Services in the background. If the front-end relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends.<br/>In this exercise, try to change the password for a user other than 101. | Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends. | ||||||
| <!-- Stop Instructions --> | <br/> | ||||||
|  | <br> | ||||||
|  | In this exercise, try to change the password for a user other than 101. | ||||||
|  | <!-- Stop Instructions --> | ||||||
| @ -3,7 +3,7 @@ | |||||||
| </div> | </div> | ||||||
| <p><b>Concept / Topic To Teach:</b> </p> | <p><b>Concept / Topic To Teach:</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function listed in the web service definition language (WSDL).  | Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.  | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| Check the web service description language (WSDL) and try to obtain multiple customers credit card numbers. You will not see the results returned to this screen. When you believe you have succeeded, refresh the page and look for the 'green star' | Check the web service description language (WSDL) file and try to obtain multiple customer credit card numbers. You will not see the results returned to this screen. When you believe you have suceeded, refresh the page and look for the 'green star'. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
		Reference in New Issue
	
	Block a user