Added bug report

Added message for missing solutions
Minor edits to lesson plans

git-svn-id: http://webgoat.googlecode.com/svn/trunk@353 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java

@@ -152,7 +152,7 @@ public class LessonSource extends HammerHead
 			}
 		}
 		if (source == null) { return "Source code is not available. Contact "
-				+ s.getWebgoatContext().getFeedbackAddress(); }
+				+ s.getWebgoatContext().getFeedbackAddressHTML(); }
 		return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
 									"Code Section Deliberately Omitted"));
 	}
@@ -175,7 +175,7 @@ public class LessonSource extends HammerHead
 			}
 		}
 		if (source == null) { return "Solution  is not available. Contact "
-				+ s.getWebgoatContext().getFeedbackAddress(); }
+				+ s.getWebgoatContext().getFeedbackAddressHTML(); }
 		return (source);
 	}
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -500,10 +500,13 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 			// that performs the convertMetacharsJavaCode() transform plus
 			// optionally adds a styled
 			// line number. Wouldn't color syntax be great too?
-		} catch (IOException e)
+		} catch (Exception e)
 		{
 			s.setMessage("Could not find source file");
-			src = ("Could not find source file");
+			src = ("Could not find the source file or source file does not exist.<br/>"
+					+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress() + "?subject=Source "
+					+ getSourceFileName() + " not found. Lesson: " + s.getCurrentLesson().getLessonName() + "\">" + 
+					s.getWebgoatContext().getFeedbackAddress() + "</a>");
 		}
 
 		Html html = new Html();
@@ -530,10 +533,13 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 		{
 			System.out.println("Solution: " + getLessonSolutionFileName());
 			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName()))), false);
-		} catch (IOException e)
+		} catch (Exception e)
 		{
 			s.setMessage("Could not find the solution file");
-			src = ("Could not find the solution file");
+			src = ("Could not find the solution file or solution file does not exist.<br/>"
+					+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress() + "?subject=Solution "
+					+ getLessonSolutionFileName() + " not found. Lesson: " + s.getCurrentLesson().getLessonName() + "\">" + 
+					s.getWebgoatContext().getFeedbackAddress() + "</a>");
 		}
 
 		Html html = new Html();

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java

@@ -73,7 +73,7 @@ public abstract class LessonAdapter extends AbstractLesson
 								+ "In fact, most lessons can be created by following the easy to use instructions in the "
 								+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
 								+ "If you would prefer, send your lesson ideas to "
-								+ getWebgoatContext().getFeedbackAddress()));
+								+ getWebgoatContext().getFeedbackAddressHTML()));
 
 		String fileName = s.getContext().getRealPath("doc/New Lesson Instructions.txt");
 		if (fileName != null)

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java

@@ -101,7 +101,7 @@ public class ReportCardScreen extends LessonAdapter
 	{
 		ElementContainer ec = new ElementContainer();
 		ec.addElement(new StringElement("Comments and suggestions are welcome. "
-				+ getWebgoatContext().getFeedbackAddress() + "<br><br>"));
+				+ getWebgoatContext().getFeedbackAddressHTML() + "<br><br>"));
 
 		return ec;
 	}

webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java

@@ -34,7 +34,9 @@ public class WebgoatContext
 
 	public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
 
-	public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
+	public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML";
+
+	public final static String FEEDBACK_ADDRESS = "email";
 
 	public final static String DEBUG = "debug";
 
@@ -64,7 +66,9 @@ public class WebgoatContext
 
 	private boolean codingExercises = false;
 
-	private String feedbackAddress = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
+	private String feedbackAddress = "webgoat@owasp.org";
+	
+	private String feedbackAddressHTML = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
 
 	private boolean isDebug = false;
 
@@ -88,6 +92,8 @@ public class WebgoatContext
 		defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
 		enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
 		codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
+		feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet, FEEDBACK_ADDRESS_HTML)
+				: feedbackAddressHTML;
 		feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
 				: feedbackAddress;
 		showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
@@ -175,6 +181,11 @@ public class WebgoatContext
 		return feedbackAddress;
 	}
 
+	public String getFeedbackAddressHTML()
+	{
+		return feedbackAddressHTML;
+	}
+
 	public boolean isDebug()
 	{
 		return isDebug;

webgoat/main/project/WebContent/WEB-INF/web.xml

@@ -111,6 +111,15 @@
       </description>
       <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
 
+ 	  <init-param>
+      		<param-name>email</param-name>
+      		<param-value>WebGoat@owasp.org</param-value>
+      		<description>
+        		The EMAIL address of the administrator to whom questions
+        		and comments about this application should be addressed.
+      		</description>
+      </init-param>
+      
 	  <init-param>
             <param-name>debug</param-name>
             <param-value>false</param-value>

webgoat/main/project/WebContent/lesson_plans/TomcatSetup.html

@@ -78,7 +78,20 @@ only discussed the whitebox approach. You have to add following lines to the Hos
 </pre>
 <p>In this case only localhost, ip1 and ip2 are permitted to connect.</p>
 
-<h2>Users Configuration</h2>
+<h2>WebGoat Default Users and Roles for Tomcat</h2>
+<p>
+WebGoat requires the following users and roles to be configured in order for the application to run.
+<br/>
+  <pre>
+  &gt;role rolename="webgoat_basic"/&lt;
+  &gt;role rolename="webgoat_admin"/&lt;
+  &gt;role rolename="webgoat_user"/&lt;
+  &gt;user username="webgoat" password="webgoat" roles="webgoat_admin"/&lt;
+  &gt;user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/&lt;
+  &gt;user username="guest" password="guest" roles="webgoat_user"/&lt;
+  </pre>
+</p>
+<h2>Adding Users</h2>
 <p>
 Usually using WebGoat you just use the user guest with the password guest.
 But maybe in laboratory you have made a setup with one server and a lot of
@@ -93,8 +106,8 @@ Adding a user is straight forward. You can use the guest entry as an example. Th
 users should have the same role as the guest user. Add lines like this to the file:
 </p>
 <pre>
-	&lt;user name=&quot;user1&quot; password=&quot;password1&quot; roles=&quot;webgoat_user&quot;/&gt;
+	&lt;user name=&quot;student1&quot; password=&quot;password1&quot; roles=&quot;webgoat_user&quot;/&gt;
-	&lt;user name=&quot;user2&quot; password=&quot;password2&quot; roles=&quot;webgoat_user&quot;/&gt;
+	&lt;user name=&quot;student2&quot; password=&quot;password2&quot; roles=&quot;webgoat_user&quot;/&gt;
 	...
 </pre>
 

webgoat/main/project/WebContent/lesson_plans/UsefulTools.html

@@ -2,12 +2,11 @@
 <!-- Start Instructions -->
 <h1>Useful Tools</h1>
 <p>
-Below is a list of tools we've found useful in solving the WebGoat lessons. You will need WebScarab 
+Below is a list of tools we've found useful in solving the WebGoat lessons. You will need WebScarab or Paros to solve most of the lessons. </p>
-to solve most of the lessons. </p>
 <h2>WebScarab:</h2>
 <p>
 Like WebGoat, WebScarab is a part of OWASP. 
-WebScarab is a framework for analyzing applications that 
+WebScarab is a proxy for analyzing applications that 
 communicate using the HTTP and HTTPS protocols. Because WebScarab 
 operates as an intercepting proxy, we can review and modify requests 
 and responses.<br><br>
@@ -22,7 +21,7 @@ Webpage:<a href="http://www.getfirebug.com" target="_blank">http://www.getfirebu
 <br><br>
 <h2>IEWatch:</h2>
 <p>
-IEWatch is a tool to analyse HTTP and HTML for users of the Internet Explorer.<br><br>
+IEWatch is a tool to analyze HTTP and HTML for users of the Internet Explorer.<br><br>
 <img src="/WebGoat/images/introduction/iewatch.jpg"><br><br>
 Webpage:<a href="http://www.iewatch.com" target="_blank">http://www.iewatch.com</a>
 </p>
@@ -37,7 +36,7 @@ Webpage:<a href="http://www.wireshark.org" target="_blank">http://www.wireshark.
 
 <h2>Scanner:</h2>
 <p>
-There exist a lot of vulnerability scanner for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Here the links to two open source scanner. <br><br>
+There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to two open source scanner. <br><br>
 Nessus:<a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a><br>
 Paros:<a href="http://www.parosproxy.org" target="_blank">http://www.parosproxy.org</a><br>
 </p>

webgoat/main/project/WebContent/main.jsp

@@ -239,7 +239,11 @@ StringBuffer buildList = new StringBuffer();
 	  	</div>
 
 		<div id="bottom">
-			<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> | Project WebGoat</div>
+			<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> | 
+								<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> | 
+								<a href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Bug Report - Lesson: 
+												 <%=webSession.getCurrentLesson().getName()%>">Report Bug</a>
+			</div>
 	  	</div>
 	</div>
 </body>