From eb29ed00ffb728961598633439ce122abc89667a Mon Sep 17 00:00:00 2001
From: Benedikt - Desktop <benedikt.stuhrmann@gmail.com>
Date: Sun, 18 Nov 2018 17:18:46 +0100
Subject: [PATCH] Removed old unused files from XSS

---
 .../webgoat/plugin/CrossSiteScripting.java    |  6 --
 .../plugin/CrossSiteScriptingLesson5b.java    | 74 -------------------
 .../resources/i18n/WebGoatLabels.properties   |  1 -
 .../src/main/resources/js/dom-xss.js          | 11 ---
 .../en/CrossSiteScripting_content10-off.adoc  | 24 ------
 .../en/CrossSiteScripting_content11-off.adoc  | 19 -----
 .../en/CrossSiteScripting_content12-off.adoc  |  8 --
 .../en/CrossSiteScripting_content13-off.adoc  | 19 -----
 .../en/CrossSiteScripting_content13a-off.adoc |  3 -
 .../en/CrossSiteScripting_content14-off.adoc  | 13 ----
 .../en/CrossSiteScripting_content15-off.adoc  | 31 --------
 .../en/CrossSiteScripting_content15a-off.adoc |  3 -
 .../en/CrossSiteScripting_content16-off.adoc  |  3 -
 .../en/CrossSiteScripting_content5c.adoc      |  9 ---
 .../en/CrossSiteScripting_content8-off.adoc   | 20 -----
 .../en/CrossSiteScripting_content9-off.adoc   |  8 --
 .../en/CrossSiteScripting_content9a-off.adoc  |  5 --
 17 files changed, 257 deletions(-)
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/js/dom-xss.js
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5c.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9-off.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9a-off.adoc

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java
index c1453a112..a98258022 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java
@@ -44,12 +44,6 @@ public class CrossSiteScripting extends NewLesson {
     @Override
     public List<String> getHints() {
         List<String> hints = new ArrayList<String>();
-        
-//        hints.add(getLabelManager().get("SqlStringInjectionHint1"));
-//        hints.add(getLabelManager().get("SqlStringInjectionHint2"));
-//        hints.add(getLabelManager().get("SqlStringInjectionHint3"));
-//        hints.add(getLabelManager().get("SqlStringInjectionHint4"));
-
         return hints;
     }
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
deleted file mode 100644
index eb609039f..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
+++ /dev/null
@@ -1,74 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-
-
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-@AssignmentPath("/CrossSiteScripting/attack5b")
-public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
-
-    @Autowired
-    UserSessionData userSessionData;
-
-    @RequestMapping(method = RequestMethod.POST)
-    public @ResponseBody
-    AttackResult completed(@RequestParam String isReflectedXSS)  throws IOException {
-    // init
-    System.out.println(userSessionData.getValue("xss-reflected5a-complete"));
-
-    //TODO
-//    if (null == userSessionData.getValue("xss-reflected5a-complete") || userSessionData.getValue("xss-reflected-5a-complete").equals("false")) {
-//        //userSessionData.setValue("xss-reflected1-complete",(Object)"false");
-//        return trackProgress(success().feedback("xss-reflected-5b-do5a-first").build());
-//    }
-
-    if (isReflectedXSS.toLowerCase().equals("no") || isReflectedXSS.toLowerCase().equals("n")) {
-            //return trackProgress()
-            return trackProgress(success().feedback("xss-reflected-5b-success").build());
-        } else {
-            return trackProgress(success().feedback("xss-reflected-5b-failure").build());
-        }
-    }
-}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index 288952150..2bca3fd31 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -11,7 +11,6 @@ xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values
 xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?
 xss-reflected-5a-hint-4=Just try purchasing something. You want your script to be included in the purchase-confirmation.
 xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
-xss-reflected-5b-failure=Nope, pretty easy to guess now though.
 xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
 xss-reflected-6a-failure=Sorry that's not correct. Look at the example again to understand what a valid route looks like. If you're stuck... hints might help.
 xss-reflected-6a-hint-1=To search through the client side code, use the developer tools of your browser. (If you don't know how to use them, check the <i>Developer Tools</i> Lesson in the general category.)
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/dom-xss.js b/webgoat-lessons/cross-site-scripting/src/main/resources/js/dom-xss.js
deleted file mode 100644
index 3658f5e98..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/js/dom-xss.js
+++ /dev/null
@@ -1,11 +0,0 @@
-//webgoat.customjs.phoneHome = function (e) {
-//    webgoat.customjs.jquery.ajax({
-//        method:"POST",
-//        url:"/WebGoat/CrossSiteScripting/dom-xss",
-//        data:{param1:42,param2:24},
-//        headers:{
-//            "x-request-with":"dom-xss-vuln"
-//        },
-//        contentType:'application/x-www-form-urlencoded; charset=UTF-8'
-//    });
-//}
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10-off.adoc
deleted file mode 100644
index 00d8d60f8..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10-off.adoc
+++ /dev/null
@@ -1,24 +0,0 @@
-== XSS Defense
-* HTML entity input encoding
-** Converting ‘<‘ and ‘>’ to &lt; and &gt; before storage
-* HTML entity output encoding
-** Converting ‘<‘ and ‘>’ to &lt; and &gt; before writing
-* Input validation
-** Positive model to allow valid characters only
-** New attacks found everyday 
-*** negative filter not reliable
-* Setting HTTPOnly as a cookie attribute
-* Only allow post data to prevent reflected XSS
-* Use language specific built-in mechanisms
-** Page validation for .NET in web.config
-+
-----
-<%page ValidateRequest="true" %>
-----
-** Struts
-+
-----
-<bean:write ... >
-----
-
-*Any problems with these approaches?*
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11-off.adoc
deleted file mode 100644
index e5f833af8..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11-off.adoc
+++ /dev/null
@@ -1,19 +0,0 @@
-== Encoding Best Practices
-* Not as easy as it may seem
-** Web 2.0 apps (social networks, mashups, blogs, feeds, etc.)
-** HTML encoding, HTML attribute encoding, JavaScript encoding, URL encoding, …
-* Use a proven and tested framework
-** The OWASP AntiSamy project (Java & .NET)
-*** Very useful in social applications where HTML content is allowed as input from users
-*** http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
-** The OWASP ESAPI (Java, .NET, PHP, Classic ASP, Cold Fusion, Haskell)
-*** https://www.owasp.org/index.php/ESAPI
-** HTMLPurifier (PHP)
-*** http://htmlpurifier.org/
-** Anti-XSS Library from Microsoft
-*** Designed specifically for ASP.NET applications
-*** http://www.codeplex.com/AntiXSS
-* Some light reading:
-** http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
-** https://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
-
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12-off.adoc
deleted file mode 100644
index c371ae985..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12-off.adoc
+++ /dev/null
@@ -1,8 +0,0 @@
-== The Samy Attack!
-
-A very interesting XSS exploit.  A single flaw led to a massive attack.
-
-http://web.archive.org/web/20060208182348/namb.la/popular/tech.html
-
-Only published AFTER MySpace resolved this issue.  *He only wanted more friends!*
-
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13-off.adoc
deleted file mode 100644
index d50c9d29d..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13-off.adoc
+++ /dev/null
@@ -1,19 +0,0 @@
-== XSS Phishing Example
-
-* A search page displays the search string
-* Attacker types in: 
-** ‘String to search”><script>alert(‘xss’)</script><!—
-** This will result in an ‘xss’ alert dialog
-* Attacker could create dynamic page content:
-+
-----
-password<form><br><br><HR><H3>
-    This feature requires account login:</H3><br><br>
-    Enter Username:<br><input type="text" id="user“
-                        name="user"><br>
-    Enter Password:<br><input type="password" 
-                        name = "pass"><br>
-  </form><br><br><HR> 
-----
-
-*Attacker steals credentials and posts data to attacker site*
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a-off.adoc
deleted file mode 100644
index 442ae92e8..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a-off.adoc
+++ /dev/null
@@ -1,3 +0,0 @@
-== Try It! XSS Phishing 
-
-Place Holder
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14-off.adoc
deleted file mode 100644
index 9f0a60ae4..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14-off.adoc
+++ /dev/null
@@ -1,13 +0,0 @@
-== HTTPOnly  
-
-* Disallows access to cookie in most modern browsers
-** Even by the website that set the cookie in the first place 
-
-* HTTPOnly Cookies are still accessible through AJAX
-** This is accomplished using the XmlHttpRequest object
-** Cookie data can still be read from the headers
-
-* Public web sites that support multiple browsers
-* Use a client-side script to determine the browser version for a visitor
-* The website can restrict sensitive information to visitors using browsers that mitigate cross site scripting attacks for cookies
-* Visitors with browsers that do not support HTTPOnly cookies can be given limited information or functionality along with a request to upgrade their software
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15-off.adoc
deleted file mode 100644
index cd99ded59..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15-off.adoc
+++ /dev/null
@@ -1,31 +0,0 @@
-== HTTPOnly Implementation 
-
-* Java has limited support for HTTPOnly
-+
-----
-response.setHeader("Set-Cookie", UNIQUE2U + "=" + value + "; HTTPOnly");
-----
-* Draft Servlet 3.0 specification (JSR 315)
-** Support in Cookie and SessionCookieConfig
-
-* ASP.NET 1.1 has no built-in support for HTTPOnly
-+
-----
-HttpCookie cookie = new HttpCookie("MyCookie");
-cookie.Value = cookieval;
-cookie.Path = FormsAuthentication.FormsCookiePath + "; HTTPOnly";
-context.Response.Cookies.Add(cookie);
-----
-* ASP.NET 1.1 EndRequest event listener
-+
-----
-private void OnEndRequest(object sender, EventArgs e)
-{
-    HttpContext context = HttpContext.Current;
-    foreach (string sCookie in context.Response.Cookies)
-    {
-        context.Response.Cookies[sCookie].Path += "; HTTPOnly";
-    }
-}
----
-* ASP.NET 2.0 has HTTPOnly property in Cookie class
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a-off.adoc
deleted file mode 100644
index dac394f39..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a-off.adoc
+++ /dev/null
@@ -1,3 +0,0 @@
-== Try It! HTTPOnly  
-
-Place Holder
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16-off.adoc
deleted file mode 100644
index de089b022..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16-off.adoc
+++ /dev/null
@@ -1,3 +0,0 @@
-== Try It! XSS LAB  
-
-Place Holder
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5c.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5c.adoc
deleted file mode 100644
index ffc47194a..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5c.adoc
+++ /dev/null
@@ -1,9 +0,0 @@
-== Was it Really Reflected XSS?
-
-The last example was not truly reflected XSS ... Why you say?
-# Can you execute it by changing the URL? (No)
-# If you do follow the actual payload in a new tab, does it execute the script? (No ... go ahead and give it a try)
-
-The reason for #2 is that the response type
-
-
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc
deleted file mode 100644
index 6eda0dd78..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc
+++ /dev/null
@@ -1,20 +0,0 @@
-== DOM-based XSS Defense
-
-* Attacker creates url:
-+
-----
-http://mylogin.com/login?error=<script>alert(“xss”)</script>
-----
-
-* JavaScript must enforce input validation
-+
-----
-  if ( errorMsg\[1\].match(/^[ a-zA-Z0-9:-]$/))  
-  {
-      document.write(‘some error’);
-  }
-  else
-  {
-    document.write('<b>'+errorMsg\[1\]+'</b>'); 
-  }
-----
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9-off.adoc
deleted file mode 100644
index a8ab8936d..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9-off.adoc
+++ /dev/null
@@ -1,8 +0,0 @@
-== Stored XSS Scenario
-* Attacker posts malicious script to a message board 
-* Message is stored in a server database
-* Victim reads the message
-* The malicious script embedded in the message board post executes in the victim’s browser
-** The script steals sensitive information, like the session id, and releases it to the attacker
-
-*Victim does not realize attack occurred*
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9a-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9a-off.adoc
deleted file mode 100644
index 75fb1bc83..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9a-off.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-== Try It!   Stored XSS
-
-Identify which field is susceptible to XSS
-
-It is always a good practice to scrub all input, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere in the application. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved. 
\ No newline at end of file