From fc08681d89f0181860013f122354cee69a86badc Mon Sep 17 00:00:00 2001 From: mjawurek Date: Mon, 26 Oct 2009 15:58:15 +0000 Subject: [PATCH] A first attempt at internationalization of WebGoat. For complete internationalization WebGoat needs two things: 1. Every text passage/label that appears in lessons must independent of the current language set for WebGoat. 2. Every lesson plan and solutions must be translated for each supported language. Number 1 is achieved by using webgoat/util/WebgoatI18N.java and by having every output routed through this piece of code. You no longer say hints.add("Lesson Hint 1"); or ....addElement("Shopping Cart")) but you in the lesson you say hints.add(WebGoatI18N.get("Lesson Hint1")) or ....addElement(WebGoatI18N.get("Shopping Cart"). Then WebGoatI18N looks up the corresponding string for the language set as the current lanuage and returns it. Number 2 is achieved by having subdirectories in lesson_plans corresponding to every language. That means, a lesson that has been translated to Spanish and German will be found in lesson_plans/English and lesson_plans/Spanish and lesson_plans/German. This is how WebGoat finds out about available languages: in Course.java in loadResources() it looks for lesson plans. Unlike before, now a lesson plan can be found multiple times in different "language" directories. So for every directory the lesson plan is found in, WebGoat associates this language with the lesson and also lets WebGoatI18N load the appropriate WebGoatLabels_$LANGAUGE$.properties file which contains the translations of labels. So this is what you have to do for a new language: First of all, you have to copy and translate every lesson plan that you need in the new language, and then you also have to create a WebGoatLabels_$LANGUAGE$.properties file with that labels that will be used in these lessons. Atm WebGoat crashes throws an exception when a label is missing but this can be sorted out quickly. git-svn-id: http://webgoat.googlecode.com/svn/trunk@389 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../WebGoatLabels_english.properties | 228 ++++++++++++++++++ .../WebGoatLabels_german.properties | 208 ++++++++++++++++ .../owasp/webgoat/lessons/AbstractLesson.java | 50 +++- .../webgoat/lessons/BasicAuthentication.java | 62 ++--- .../webgoat/lessons/CommandInjection.java | 43 ++-- .../webgoat/lessons/HiddenFieldTampering.java | 46 ++-- .../org/owasp/webgoat/lessons/HtmlClues.java | 35 +-- .../org/owasp/webgoat/lessons/HttpBasics.java | 5 +- .../webgoat/lessons/JavaScriptValidation.java | 52 ++-- .../owasp/webgoat/lessons/LessonAdapter.java | 6 +- .../owasp/webgoat/lessons/LogSpoofing.java | 21 +- .../lessons/PathBasedAccessControl.java | 63 +++-- .../owasp/webgoat/lessons/ReflectedXSS.java | 52 ++-- .../webgoat/lessons/RemoteAdminFlaw.java | 17 +- .../webgoat/lessons/SqlNumericInjection.java | 36 ++- .../webgoat/lessons/SqlStringInjection.java | 33 ++- .../org/owasp/webgoat/lessons/StoredXss.java | 36 +-- .../lessons/WeakAuthenticationCookie.java | 54 ++--- .../org/owasp/webgoat/session/Course.java | 19 +- .../org/owasp/webgoat/session/WebSession.java | 50 ++-- .../owasp/webgoat/session/WebgoatContext.java | 25 +- .../org/owasp/webgoat/util/WebGoatI18N.java | 41 ++++ .../main/project/WebContent/css/webgoat.css | 4 +- .../WebContent/javascript/menu_system.js | 7 + .../{ => English}/AccessControlMatrix.html | 0 .../lesson_plans/{ => English}/BackDoors.html | 0 .../{ => English}/BasicAuthentication.html | 0 .../{ => English}/BlindSqlInjection.html | 0 .../{ => English}/BufferOverflow.html | 0 .../lesson_plans/{ => English}/CSRF.html | 0 .../{ => English}/ChallengeScreen.html | 0 .../{ => English}/ClientSideFiltering.html | 0 .../{ => English}/ClientSideValidation.html | 0 .../{ => English}/CommandInjection.html | 1 + .../{ => English}/ConcurrencyCart.html | 0 .../{ => English}/CrossSiteScripting.html | 0 .../{ => English}/CsrfPromptByPass.html | 0 .../{ => English}/CsrfTokenByPass.html | 0 .../{ => English}/DBCrossSiteScripting.html | 0 .../{ => English}/DBSQLInjection.html | 0 .../{ => English}/DOMInjection.html | 0 .../lesson_plans/{ => English}/DOMXSS.html | 0 .../lesson_plans/{ => English}/DOS_Login.html | 0 .../{ => English}/DangerousEval.html | 0 .../lesson_plans/{ => English}/Encoding.html | 0 .../{ => English}/FailOpenAuthentication.html | 0 .../{ => English}/ForcedBrowsing.html | 0 .../{ => English}/ForgotPassword.html | 0 .../{ => English}/HiddenFieldTampering.html | 7 +- .../lesson_plans/{ => English}/HowToWork.html | 0 .../lesson_plans/{ => English}/HtmlClues.html | 3 +- .../{ => English}/HttpBasics.html | 0 .../lesson_plans/{ => English}/HttpOnly.html | 0 .../{ => English}/HttpSplitting.html | 0 .../{ => English}/InsecureLogin.html | 0 .../{ => English}/JSONInjection.html | 0 .../{ => English}/JavaScriptValidation.html | 8 +- .../{ => English}/Lesson_Plan_Template.html | 0 .../{ => English}/LogSpoofing.html | 0 .../{ => English}/MultiLevelLogin1.html | 0 .../{ => English}/MultiLevelLogin2.html | 0 .../lesson_plans/{ => English}/NewLesson.html | 0 .../{ => English}/PasswordStrength.html | 0 .../{ => English}/PathBasedAccessControl.html | 0 .../lesson_plans/{ => English}/Phishing.html | 0 .../{ => English}/ReflectedXSS.html | 0 .../{ => English}/RemoteAdminFlaw.html | 0 .../{ => English}/RoleBasedAccessControl.html | 0 .../{ => English}/SQLInjection.html | 0 .../SameOriginPolicyProtection.html | 0 .../{ => English}/SessionFixation.html | 0 .../{ => English}/SilentTransactions.html | 0 .../{ => English}/SoapRequest.html | 0 .../{ => English}/SqlNumericInjection.html | 0 .../{ => English}/SqlStringInjection.html | 0 .../lesson_plans/{ => English}/StoredXss.html | 0 .../{ => English}/ThreadSafetyProblem.html | 0 .../{ => English}/TomcatSetup.html | 224 ++++++++--------- .../lesson_plans/{ => English}/TraceXSS.html | 0 .../{ => English}/UncheckedEmail.html | 0 .../{ => English}/UsefulTools.html | 0 .../{ => English}/WSDLScanning.html | 0 .../WeakAuthenticationCookie.html | 6 +- .../{ => English}/WeakSessionID.html | 0 .../{ => English}/WelcomeScreeen.html | 0 .../{ => English}/WsSAXInjection.html | 0 .../{ => English}/WsSqlInjection.html | 0 .../{ => English}/XMLInjection.html | 0 .../{ => English}/XPATHInjection.html | 0 .../German/BasicAuthentication.html | 15 ++ .../lesson_plans/German/CommandInjection.html | 16 ++ .../German/HiddenFieldTampering.html | 14 ++ .../lesson_plans/German/HtmlClues.html | 13 + .../lesson_plans/German/HttpBasics.html | 29 +++ .../German/JavaScriptValidation.html | 19 ++ .../lesson_plans/German/LogSpoofing.html | 17 ++ .../German/PathBasedAccessControl.html | 11 + .../lesson_plans/German/ReflectedXSS.html | 19 ++ .../lesson_plans/German/RemoteAdminFlaw.html | 16 ++ .../German/SqlNumericInjection.html | 18 ++ .../German/SqlStringInjection.html | 20 ++ .../lesson_plans/German/StoredXss.html | 16 ++ .../German/WeakAuthenticationCookie.html | 22 ++ webgoat/main/project/WebContent/main.jsp | 24 +- 104 files changed, 1223 insertions(+), 488 deletions(-) create mode 100644 webgoat/main/project/JavaSource/WebGoatLabels_english.properties create mode 100644 webgoat/main/project/JavaSource/WebGoatLabels_german.properties create mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/util/WebGoatI18N.java rename webgoat/main/project/WebContent/lesson_plans/{ => English}/AccessControlMatrix.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/BackDoors.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/BasicAuthentication.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/BlindSqlInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/BufferOverflow.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/CSRF.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ChallengeScreen.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ClientSideFiltering.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ClientSideValidation.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/CommandInjection.html (94%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ConcurrencyCart.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/CrossSiteScripting.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/CsrfPromptByPass.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/CsrfTokenByPass.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/DBCrossSiteScripting.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/DBSQLInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/DOMInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/DOMXSS.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/DOS_Login.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/DangerousEval.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/Encoding.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/FailOpenAuthentication.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ForcedBrowsing.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ForgotPassword.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/HiddenFieldTampering.html (83%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/HowToWork.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/HtmlClues.html (74%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/HttpBasics.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/HttpOnly.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/HttpSplitting.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/InsecureLogin.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/JSONInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/JavaScriptValidation.html (75%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/Lesson_Plan_Template.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/LogSpoofing.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/MultiLevelLogin1.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/MultiLevelLogin2.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/NewLesson.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/PasswordStrength.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/PathBasedAccessControl.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/Phishing.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ReflectedXSS.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/RemoteAdminFlaw.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/RoleBasedAccessControl.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/SQLInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/SameOriginPolicyProtection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/SessionFixation.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/SilentTransactions.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/SoapRequest.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/SqlNumericInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/SqlStringInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/StoredXss.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/ThreadSafetyProblem.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/TomcatSetup.html (97%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/TraceXSS.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/UncheckedEmail.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/UsefulTools.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/WSDLScanning.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/WeakAuthenticationCookie.html (80%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/WeakSessionID.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/WelcomeScreeen.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/WsSAXInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/WsSqlInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/XMLInjection.html (100%) rename webgoat/main/project/WebContent/lesson_plans/{ => English}/XPATHInjection.html (100%) create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/BasicAuthentication.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/CommandInjection.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/HiddenFieldTampering.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/HtmlClues.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/HttpBasics.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/JavaScriptValidation.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/LogSpoofing.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/PathBasedAccessControl.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/ReflectedXSS.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/RemoteAdminFlaw.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/SqlNumericInjection.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/SqlStringInjection.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/StoredXss.html create mode 100644 webgoat/main/project/WebContent/lesson_plans/German/WeakAuthenticationCookie.html diff --git a/webgoat/main/project/JavaSource/WebGoatLabels_english.properties b/webgoat/main/project/JavaSource/WebGoatLabels_english.properties new file mode 100644 index 000000000..4939dc531 --- /dev/null +++ b/webgoat/main/project/JavaSource/WebGoatLabels_english.properties @@ -0,0 +1,228 @@ +#General +LessonCompleted=Congratulations. You have successfully completed this lesson. +RestartLesson=Restart this Lesson +SolutionVideos=Solution Videos +ErrorGenerating=Error generating +InvalidData=Invalid Data + + +#HttpBasics.java +EnterYourName=Enter your Name +Go!=Go! + +#BasicAuthentication.java +BasicAuthHeaderNameIncorrect=Basic Authentication header name is incorrect. +BasicAuthHeaderValueIncorrect=Basic Authentication header value is incorrect. +BasicAuthenticationWhatIsNameOfHeader=What is the name of the authentication header: +BasicAuthenticationWhatIsDecodedValueOfHeader=What is the decoded value of the authentication header: +Submit=Submit +BasicAuthenticationGreenStars1=Close your browser and login as +BasicAuthenticationGreenStars2= to get your green stars back. +BasicAuthenticationStage1Completed=Congratulations, you have figured out the mechanics of basic authentication.  - Now you must try to make WebGoat reauthenticate you as:     - username: basic     - password: basic. Use the Basic Authentication Menu to start at login page. +BasicAuthenticationAlmostThere1=You're almost there! You've modified the +BasicAuthenticationAlmostThere2= header but you are still logged in as +BasicAuthenticationAlmostThere3=. Look at the request after you typed in the 'basic' user credentials and submitted the request. Remember the order of events that occur during Basic Authentication. +BasicAuthenticationReallyClose=You're really close! Changing the session cookie caused the server to create a new session for you. This did not cause the server to reauthenticate you. When you figure out how to force the server to perform an authentication request, you have to authenticate as:

    user name: basic
    password: basic
+BasicAuthenticationUseTheHints=Use the hints! One at a time... + +BasicAuthenticationHint1=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies. + +BasicAuthenticationHint2=Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials. +BasicAuthenticationHint3=Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials. +BasicAuthenticationHint4=Use WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie. + +BasicAuthenticationHint5=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies. +BasicAuthenticationHint6=Before the WebServer requests credentials from the client, the current session is checked for validitity. +BasicAuthenticationHint7=If the session is invalid the webserver will use the basic authentication credentials +BasicAuthenticationHint8=If the session is invalid and the basic authentication credentials are invalid, new credentials will be requested from the client. +BasicAuthenticationHint9=Intercept the request and corrupt the JSESSIONID and the Authorization header. + + +#WeakAuthenticationCookie.java +InvalidCookie=Invalid cookie +IdentityRemembered=Your identity has been remembered +InvalidUsernameAndPassword=Invalid username and password entered. +UserName=User Name +Password=Password +Login=Login +RequiredFields=Required Fields +WeakAuthenticationCookiePleaseSignIn=Please sign in to your account. See the OWASP admin if you do not have an account. +SignIn=Sign in +PasswordForgotten=Goodbye! Your password has been forgotten +WelcomeUser=Welcome, +YouHaveBeenAuthenticatedWith=You have been authenticated with +Logout=Logout +Refresh=Refresh + +WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie. +WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password? +WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using WebScarab. +WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx
After logging in as aspect a cookie is added. 65432udfqtb
Is there anything similar about the cookies and the login names? + +#RemoteAdminFlaw.java +RemoteAdminFlawHint1=WebGoat has 2 admin interfaces. +RemoteAdminFlawHint2=WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable' +RemoteAdminFlawHint3=WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable' +RemoteAdminFlawHint4=Follow the Source! +RemoteAdminFlawHint5=On success you will see new submenu items in the menupoint 'Admin Functions' + + + + + + +#PathBasedAccessControl.java +CurrentDirectory=Current Directory is: +ChooseFileToView=Choose the file to view: +ViewFile=View File +AccessDenied=Access denied +ItAppears1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see one file in this directory. +ItAppears2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see files in the webgoat directory. +CongratsAccessToFileAllowed=Congratulations! Access to file allowed +FileInAllowedDirectory=File is already in allowed directory - try again! +AccessToFileDenied1=Access to file/directory " +AccessToFileDenied2=" denied +FileTooLarge=File is too large +FileBinary=File is binary +TheFollowingError=The following error occurred while accessing the file: < +PathBasedAccessControlInstr1=The ' +PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory. Try to break the access control mechanism and access a resource that is not in the listed directory. After selecting a file to view, WebGoat will report if access to the file was granted. An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml +ErrorGenerating=Error generating +ViewingFile=Viewing file: +File=File: +Dir=Dir: +IsFile= - isFile(): +Exists= - exists(): +PathBasedAccessControlHint1=Most operating systems allow special characters in the path. +PathBasedAccessControlHint2=Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory"); +PathBasedAccessControlHint3=Try .. in the path +PathBasedAccessControlHint4=Try ..\\..\\..\\LICENSE + + + + +#CommandInjection.java +Command=Command +CommandInjectionRightTrack1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig. +CommandInjectionRightTrack2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. This lesson is a command injection lesson, not access control. +YouAreCurrentlyViewing=You are currently viewing: +SelectFileFromListBelow=select file from list below +SelectLessonPlanToView=Select the lesson plan to view: +View=View +CommandInjectionHint1=The application is using a system command to return the contents of a file. +CommandInjectionHint2=The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;) +CommandInjectionHint3=Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix. +CommandInjectionHint4=Note that the server may enclose the submitted file name within quotes + + + +#NumericSqlInjection.java +NumericSqlInjectionSecondStage=Bet you can't do it again! This lesson has detected your successfull attack and has now switched to a defensive mode. Try again to attack a parameterized query. +NoResultsMatched=No results matched. Try Again. +NumericSqlInjectionSecondStage2=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. +ErrorParsingAsNumber=Error parsing station as a number: +SelectYourStation=Select your local weather station: + +SqlNumericInjectionHint1=The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command. +SqlNumericInjectionHint2=This is the code for the query being built and issued by WebGoat:

"SELECT * FROM weather_data WHERE station = " + station +SqlNumericInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true. +SqlNumericInjectionHint4=Try to intercept the post request with WebScarab and replace the station with [ 101 OR 1 = 1 ]. + + + + +#StringSqlInjection.java +StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query. +EnterLastName=Enter your last name: +NoResultsMatched=No results matched. Try Again. +SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command. +SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:

"SELECT * FROM user_data WHERE last_name = "accountName" +SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true +SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ]. + + + + + + + +#LogSpoofing.java +LoginFailedForUserName=Login failed for username +LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME +LogSpoofingHint1=Try to fool the human eye by using new lines. +LogSpoofingHint2=Use CR (%0d) and LF (%0a) for a new line. +LogSpoofingHint3=Try: Smith%0d%0aLogin Succeeded for username: admin +LogSpoofingHint4=Try: Smith%0d%0aLogin Succeeded for username: admin<script>alert(document.cookie)</script> + +#StoredXss.java +StoredXssHint1=You can put HTML tags in your message. +StoredXssHint1=Bury a SCRIPT tag in the message to attack anyone who reads it. +StoredXssHint1=Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in the message field. +StoredXssHint1=Enter this: <script>alert(document.cookie);</script> in the message field. +MessageContentsFor=Message Contents For +Title=Title +PostedBy=Posted by +CouldNotFindMessage=Could not find this message +Message=Message +MessageList=Message List +CouldNotAddMessage=Could not add message to database +ErroGeneratingMessageList=Error while getting message list. + +#ReflectedXSS.java +ReflectedXSSWhoops1=Whoops! You entered +ReflectedXSSWhoops2= instead of your three digit code. Please try again. +ShoppingCart=Shopping Cart +ShoppingCartItems=Shopping Cart Items -- To Buy Now +Price=Price +Quantity=Quantity +Total=Total +TotalChargedCreditCard=The total charged to your credit card +UpdateCart=UpdateCart +EnterCreditCard=Enter your credit card number +Enter3DigitCode=Enter your three digit access code +Purchase=Purchase +ReflectedXSSHint1=A simple script is <SCRIPT>alert('bang!');</SCRIPT>. +ReflectedXSSHint2=Can you get the script to disclose the JSESSIONID cookie? +ReflectedXSSHint3=You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie +ReflectedXSSHint4=Can you get the script to access the credit card form field? +ReflectedXSSHint5=Try a cross site trace (XST) Command:
<script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); document.write(str1);}</script>"); + +#HtmlClues.java +HtmlCluesBINGO=BINGO -- admin authenticated +HtmlCluesHint1=You can view the HTML source by selecting 'view source' in the browser menu. +HtmlCluesHint2=There are lots of clues in the HTML +HtmlCluesHint3=Search for the word HIDDEN, look at URLs, look for comments. + +#JavaScriptValidation.java +3LowerCase=Field1: exactly three lowercase characters +Exactly3Digits=Field2: exactly three digits +LettersNumbersSpaceOnly=Field3: letters, numbers, and space only +EnumerationOfNumbers=Field4: enumeration of numbers +SimpleZipCode=Field5: simple zip code +ZIPDashFour=Field6: zip with optional dash four +USPhoneNumber=Field7: US phone number with or without dashes + +ServerSideValidationViolation=Server side validation violation: You succeeded for +JavaScriptValidationHint1=The validation is happening in your browser. +JavaScriptValidationHint2=Try modifying the values with a proxy after they leave your browser +JavaScriptValidationHint3=Another way is to delete the JavaScript before you view the page. + +#HiddenFieldTampering.java +TotalPriceIs=Your total price is +ThisAmountCharged=This amount will be charged to your credit card immediately. + +HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server. +HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field. +HiddenFieldTamperingHint3=Use WebScarab to change the price of the TV from " +HiddenFieldTamperingHint32= to + + + + + + + + + + + diff --git a/webgoat/main/project/JavaSource/WebGoatLabels_german.properties b/webgoat/main/project/JavaSource/WebGoatLabels_german.properties new file mode 100644 index 000000000..cfd190b41 --- /dev/null +++ b/webgoat/main/project/JavaSource/WebGoatLabels_german.properties @@ -0,0 +1,208 @@ +#General +LessonCompleted=Herzlichen Glückwunsch! Sie haben diese Lektion erfolgreich abgeschlossen. +RestartLesson=Lektion neu beginnen +SolutionVideos=Lösungsvideos +ErrorGenerating=Fehler beim Generieren von +InvalidData=Ungültige Daten + +#HttpBasics.java +EnterYourName=Geben Sie Ihren Namen ein +Go!=Los gehts! + +#BasicAuthentication.java +BasicAuthHeaderNameIncorrect=Basic Authentication Header Name ist inkorrekt. +BasicAuthHeaderValueIncorrect=Basic Authentication Header Wert ist inkorrekt. +BasicAuthenticationWhatIsNameOfHeader=Was ist der Name des Authentication Header: +BasicAuthenticationWhatIsDecodedValueOfHeader=Was ist der dekodierte Wert des Authentication Header: +Submit=Abschicken +BasicAuthenticationGreenStars1=Schließen Sie Ihren Browser und loggen sich Sich als +BasicAuthenticationGreenStars2= ein um Ihre grünen Sterne wiederzubekommen. +BasicAuthenticationStage1Completed=Herzlichen Glückwunsch, Sie haben die Grundlagen von Basic Authentication verstanden - Jetzt versuchen Sie sich von WebGoat als: username: basic     - password: basic authentisieren zu lassen. Benutzen Sie das Basic Authentication Menu um eine Login Seite zu öffnen. +BasicAuthenticationAlmostThere1=Sie Sind fast da! Sie haben den +BasicAuthenticationAlmostThere2= Header manipuliert aber Sie sind immernoch als +BasicAuthenticationAlmostThere3= eingeloggt. Schauen Sie sich den Request an nachdem Sie die 'basic' Authentisierungsdaten eingetippt haben und die Anfrage abgeschickt haben. Halten Sie sich die Reihenfolge der Ereignisse die bei Basic Authentication eintreten vor Augen. +BasicAuthenticationReallyClose=Sie sind sehr nahe dran! Durch das Ändern des Session Cookie haben Sie den Server dazu gebracht eine neue Session für Sie zu erstellen. Dies hat sie allerdings nicht re-authentisiert. Wenn Sie herausgefunden haben wie Sie den Server dazu zwingen können Sie zu re-authentisieren dann authentisieren Sie sich als:

    user name: basic
    password: basic
+BasicAuthenticationUseTheHints=Benutzen Sie die Hinweise! Einen nach dem anderen... +BasicAuthenticationHint1=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies. + +BasicAuthenticationHint2=Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials. +BasicAuthenticationHint3=Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials. +BasicAuthenticationHint4=Use WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie. + +BasicAuthenticationHint5=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies. +BasicAuthenticationHint6=Before the WebServer requests credentials from the client, the current session is checked for validitity. +BasicAuthenticationHint7=If the session is invalid the webserver will use the basic authentication credentials +BasicAuthenticationHint8=If the session is invalid and the basic authentication credentials are invalid, new credentials will be requested from the client. +BasicAuthenticationHint9=Intercept the request and corrupt the JSESSIONID and the Authorization header. + + + +#WeakAuthenticationCookie.java +InvalidCookie=Ungültiger Cookie! +IdentityRemembered=Ihre Identität wurde abgespeichert +InvalidUsernameAndPassword=Benutzername und Passwort ungültig. +UserName=Benutzername +Password=Passwort +Login=Anmelden +RequiredFields=*Benötigte Felder +WeakAuthenticationCookiePleaseSignIn=Bitte melden Sie sich an. Kontaktieren Sie den OWASP Administrator wenn Sie keine Anmeldedaten haben. +SignIn=Anmeldung +PasswordForgotten=Auf Wiedersehen! Ihr Passwort wurde vergessen +WelcomeUser=Willkommen, +YouHaveBeenAuthenticatedWith=Sie wurden authentisiert mit +Logout=Abmelden +Refresh=Neu Laden + +WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie. +WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password? +WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using WebScarab. +WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx
After logging in as aspect a cookie is added. 65432udfqtb
Is there anything similar about the cookies and the login names? + +#RemoteAdminFlaw.java +RemoteAdminFlawHint1=WebGoat has 2 admin interfaces. +RemoteAdminFlawHint2=WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable' +RemoteAdminFlawHint3=WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable' +RemoteAdminFlawHint4=Follow the Source! +RemoteAdminFlawHint5=On success you will see new submenu items in the menupoint 'Admin Functions' + + + +#PathBasedAccessControl.java +CurrentDirectory=Das aktuelle Verzeichnis ist: +ChooseFileToView=Wählen Sie die Datei zum Anzeigen: +ViewFile=Datei anzeigen +AccessDenied=Zugang verweigert +ItAppears1=Es scheint als wären Sie auf dem richtigen Weg. Befehle die das Betriebssystem beeinflussen könnten werden ignoriert. Sie dürfen nur eine Datei in diesem Verzeichnis anzeigen. +ItAppears2=Es scheint als wären Sie auf dem richtigen Weg. Befehle die das Betriebssystem beeinflussen könnten werden ignoriert. Sie dürfen nur Dateien im WebGoat Verzeichnis anzeigen. +CongratsAccessToFileAllowed=Herzlichen Glückwunsch! Zugang zur Datei gewährt +FileInAllowedDirectory=Die Datei ist bereits in einem erlaubten Verzeichnis - Versuchen Sie es erneut! +AccessToFileDenied1=Zugang zu Datei/Verzeichnis " +AccessToFileDenied2=" verweigert +FileTooLarge=Datei ist zu groß +FileBinary=Datei hat binär-Inhalt +TheFollowingError=Der folgende Fehler trat auf beim Zugriff auf die Datei: < +PathBasedAccessControlInstr1=Der ' +PathBasedAccessControlInstr2=' Benutzer hat Zugriff auf alle Dateien im lesson_plans/English Verzeichnis. Versuchen Sie den Zugangsmechanismus zu brechen indem Sie auf eine Resource zugreifen die nicht im gelisteten Verzeichnis liegt. Nachdem Sie eine Datei ausgewählt haben, wird WebGoat Ihnen sagen ob Sie Zugriff darauf haben. Eine interessante Datei könnte tomcat/conf/tomcat-users.xml sein. +ErrorGenerating=Fehler beim Generieren von +ViewingFile=Anzeige von Datei: +File=Datei: +Dir=Verzeichnis: +IsFile= - isFile() (ist eine Datei): +Exists= - exists() (existiert): + +PathBasedAccessControlHint1=Most operating systems allow special characters in the path. +PathBasedAccessControlHint2=Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory"); +PathBasedAccessControlHint3=Try .. in the path +PathBasedAccessControlHint4=Try ..\\..\\..\\LICENSE + + +#CommandInjection.java +Command=Befehl +CommandInjectionRightTrack1=Es scheint, dass Sie auf dem richtigen Weg sind. Befehle die das Betriebssystem kompromittieren können wurden deaktiviert. Die folgenden Befehle sind erlaubt: netstat -a, dir, ls, ifconfig und ipconfig. +CommandInjectionRightTrack2=Es scheint, dass Sie auf dem richtigen Weg sind. Befehle die das Betriebssystem kompromittieren können wurden deaktiviert. In dieser Lektion geht es um das Einschleusen von Befehlen, nicht um Zugangskontrolle. +YouAreCurrentlyViewing=Sie betrachten gerade: +SelectFileFromListBelow=wählen Sie eine Datei aus der Liste +SelectLessonPlanToView=Wählen Sie die zu betrachtende Lektion aus: +View=Anzeigen +CommandInjectionHint1=The application is using a system command to return the contents of a file. +CommandInjectionHint2=The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;) +CommandInjectionHint3=Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix. +CommandInjectionHint4=Note that the server may enclose the submitted file name within quotes + + + +#NumericSqlInjection.java +SecondStage=Ich wette das können Sie nicht wiederholen. Diese Lektion hat nun in einen defensiven Modus gewechselt. Versuchen Sie nun eine parametrisierte Anfrage anzugreifen. +NoResultsMatched=Keine Resultate gefunden. Versuchen Sie es erneut. +SecondStage2=Da sie nun erfolgreich eine SQL Injection durchgeführt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. +ErrorParsingAsNumber=Fehler beim interpretieren der Wetterstationsnummer als Zahl: +SelectYourStation=Wählen Sie Ihre lokale Wetterstation aus: +SqlNumericInjectionHint1=The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command. +SqlNumericInjectionHint2=This is the code for the query being built and issued by WebGoat:

"SELECT * FROM weather_data WHERE station = " + station +SqlNumericInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true. +SqlNumericInjectionHint4=Try to intercept the post request with WebScarab and replace the station with [ 101 OR 1 = 1 ]. + + +#StringSqlInjection.java +StringSqlInjectionSecondStage=Da sie nun erfolgreich eine SQL Injection durchgeführt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. Starten Sie Diese Lektion neu, wenn Sie zur verwundbaren SQL Anfrage gelangen möchten. +EnterLastName=Geben Sie Ihren Nachnamen ein: +NoResultsMatched=Keine Resultate gefunden, versuchen Sie es erneut +SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command. +SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:

"SELECT * FROM user_data WHERE last_name = "accountName" +SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true +SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ]. + + +#LogSpoofing.java +LoginFailedForUserName=Login failed for username +LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME +LogSpoofingHint1=Versuchen Sie das menschliche Auge durch Einfügen von weiteren Zeilen zu verwirren +LogSpoofingHint2=Benutzen Sie CR (%0d) und LF (%0a) für eine neue Zeile. +LogSpoofingHint3=Versuchen Sie: Smith%0d%0aLogin Succeeded for username: admin +LogSpoofingHint4=Versuchen Sie: Smith%0d%0aLogin Succeeded for username: admin<script>alert(document.cookie)</script> + +#StoredXss.java +StoredXssHint1=Sie können HTML tags in Ihre Nachricht einbauen. +StoredXssHint1=Bauen Sie ein SCRIPT tag in Ihre Nachricht ein um jeden Anzugreifen der sie liest +StoredXssHint1=Geben Sie: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in das Nachrichtenfeld ein. +StoredXssHint1=Geben Sie: <script>alert(document.cookie);</script> in das Nachrichtenfeld ein. +MessageContentsFor=Nachrichteninhalt für +Title=Titel +PostedBy=Geschrieben von +CouldNotFindMessage=Konnte diese Nachricht nicht finden +Message=Nachricht +MessageList=Nachrichtenliste +CouldNotAddMessage=Could not add message to database +ErroGeneratingMessageList=Error while getting message list. + + +#ReflectedXSS.java +ReflectedXSSWhoops1=Ups! Sie haben +ReflectedXSSWhoops2= anstatt des drei stelligen Codes eingegeben. Bitte versuchen Sie es erneut. +ShoppingCart=Warenkorb +ShoppingCartItems=Inhalt des Warenkorbs -- Jetzt kaufen +Price=Preis +Quantity=Menge +Total=Gesamt +TotalChargedCreditCard=Der Gesamtbetrag, mit dem Ihre Kreditkarte belastet wird +UpdateCart=Warenkorb aktualisieren +EnterCreditCard=Geben Sie Ihre Kreditkartennummern ein +Enter3DigitCode=Geben Sie Ihren 3-stelligen Sicherheitscode ein +Purchase=Kaufen +ReflectedXSSHint1=Ein einfaches Skript ist <SCRIPT>alert('bang!');</SCRIPT>. +ReflectedXSSHint2=Können Sie das Skript dazu bringen den JSESSIONID Cookie zu veröffentlichen? +ReflectedXSSHint3=Sie können <SCRIPT>alert(document.cookie);</SCRIPT> benutzen um an den Session ID Cookie zu kommen +ReflectedXSSHint4=Können Sie das Skript so gestalten, dass es an den Inhalt des Kreditkartenfeldes kommt? +ReflectedXSSHint5=Versuchen Sie einen cross site trace (XST) Befehl:
<script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); document.write(str1);}</script>"); + +#HtmlClues.java +HtmlCluesBINGO=BINGO -- admin authentisiert +HtmlCluesHint1=Sie können Sich den HTML Quellcode anschauen indem Sie "View Source" im Browser anklicken. +HtmlCluesHint2=Es gibt viele Hinweise in HTML +HtmlCluesHint3=Suchen Sie nach den Worten HIDDEN, schauen Sie sich URLs an und suchen Sie nach Kommentaren. + +#JavaScriptValidation.java +3LowerCase=Feld1: genau drei kleine Buchstaben +Exactly3Digits=Feld2: genau drei Ziffern +LettersNumbersSpaceOnly=Feld3: Buchstaben, Ziffern und Leerzeichen +EnumerationOfNumbers=Feld4: ausgeschriebene Ziffern +SimpleZipCode=Feld5: Einfach Postleitzahlen (5 stellige Zahl) +ZIPDashFour=Feld6: Postleitzahlen mit optionalem Bindestrich und 4 stelliger Zahl +USPhoneNumber=Feld7: Telefonnummer in den USA, mit oder ohne Bindestriche + +ServerSideValidationViolation=Server-seitige Validierungsverstoß: Sie waren erfolgreich für +JavaScriptValidationHint1=Die Validierung findet in Ihrem Browser statt. +JavaScriptValidationHint2=Versuchen Sie den Wert zu verändern nachdem er Ihren Browser verlassen hat. +JavaScriptValidationHint3=Sie können aber auch JavaScript abschalten, bevor Sie sich die Seite anschauen. + +#HiddenFieldTampering.java +TotalPriceIs=Der Gesamtpreis ist +ThisAmountCharged=Ihre Kreditkarte wird sofort mit dem Betrag belastet + +HiddenFieldTamperingHint1=Die Applikation nutzt ein verstecktes Feld um Preisinformationen an den Server zu übertragen. +HiddenFieldTamperingHint2=Benutzen Sie ein Programm um den Wert des versteckten Feldes abzufangen und zu verändern. +HiddenFieldTamperingHint3=Benutzen Sie WebScarab um den Preis des Fernsehers auf einen anderen Wert einzustellen. +HiddenFieldTamperingHint32= bis + + + \ No newline at end of file diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java index 873a9a91b..54a710146 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java @@ -10,7 +10,11 @@ import java.net.URL; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; +import java.util.HashMap; +import java.util.LinkedList; import java.util.List; +import java.util.Map; + import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.apache.ecs.StringElement; @@ -26,6 +30,8 @@ import org.owasp.webgoat.session.Screen; import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebgoatContext; import org.owasp.webgoat.session.WebgoatProperties; +import org.owasp.webgoat.util.WebGoatI18N; + /*************************************************************************************************** @@ -95,12 +101,16 @@ public abstract class AbstractLesson extends Screen implements Comparable lessonPlanFileName = new HashMap(); private String lessonSolutionFileName; private WebgoatContext webgoatContext; - + + private LinkedList availableLanguages = new LinkedList(); + + private String defaultLanguage = "English"; + /** * Constructor for the Lesson object */ @@ -392,22 +402,29 @@ public abstract class AbstractLesson extends Screen implements Comparable getAvailableLanguages(){ + return this.availableLanguages; + } + public String getLessonSolutionFileName() { return lessonSolutionFileName; diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java index f7ba35023..88d7eb1a3 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java @@ -13,6 +13,7 @@ import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -101,12 +102,12 @@ public class BasicAuthentication extends SequentialLessonAdapter { if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION)) { - s.setMessage("Basic Authentication header name is incorrect."); + s.setMessage(WebGoatI18N.get("BasicAuthHeaderNameIncorrect")); } if (headerValue.length() > 0 && !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat"))) { - s.setMessage("Basic Authentication header value is incorrect."); + s.setMessage(WebGoatI18N.get("BasicAuthHeaderValueIncorrect")); } } @@ -120,8 +121,8 @@ public class BasicAuthentication extends SequentialLessonAdapter TR row1 = new TR(); TR row2 = new TR(); - row1.addElement(new TD(new StringElement("What is the name of the authentication header: "))); - row2.addElement(new TD(new StringElement("What is the decoded value of the authentication header: "))); + row1.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsNameOfHeader")))); + row2.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsDecodedValueOfHeader")))); row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString()))); row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString()))); @@ -132,7 +133,7 @@ public class BasicAuthentication extends SequentialLessonAdapter ec.addElement(t); ec.addElement(new P()); - Element b = ECSFactory.makeButton("Submit"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit")); ec.addElement(b); } catch (Exception e) @@ -158,7 +159,7 @@ public class BasicAuthentication extends SequentialLessonAdapter getLessonTracker(s, originalUser).setStage(1); getLessonTracker(s, originalUser).store(s, this); makeSuccess(s); - s.setMessage("Close your browser and login as " + originalUser + " to get your green stars back."); + s.setMessage(WebGoatI18N.get("BasicAuthenticiationGreenStars1")+ originalUser + WebGoatI18N.get("BasicAuthenticationGreenStars2")); return ec; } else @@ -184,11 +185,7 @@ public class BasicAuthentication extends SequentialLessonAdapter getLessonTracker(s, BASIC).store(s, this, BASIC); } - s.setMessage("Congratulations, you have figured out the mechanics of basic authentication."); - s.setMessage("  - Now you must try to make WebGoat reauthenticate you as: "); - s.setMessage("    - username: basic"); - s.setMessage("    - password: basic"); - s.setMessage("Use the Basic Authentication Menu to start at login page."); + s.setMessage(WebGoatI18N.get("BasicAuthenticationStage1Completed")); // If the auth header is different but still the original user - tell the user // that the original cookie was posted bak and basic auth uses the cookie before the @@ -196,32 +193,28 @@ public class BasicAuthentication extends SequentialLessonAdapter if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION))) { ec - .addElement("You're almost there! You've modified the " + .addElement(WebGoatI18N.get("BasicAuthenticationAlmostThere1") + AUTHORIZATION - + " header but you are " - + "still logged in as " + + WebGoatI18N.get("BasicAuthenticationAlmostThere2") + s.getUserName() - + ". Look at the request after you typed in the 'basic' " - + "user credentials and submitted the request. Remember the order of events that occur during Basic Authentication."); + + WebGoatI18N.get("BasicAuthenticationAlmostThere3")); } else if (!originalSessionId.equals(s.getCookie(JSESSIONID))) { ec - .addElement("You're really close! Changing the session cookie caused the server to create a new session for you. This did not cause the server to reauthenticate you. " - + "When you figure out how to force the server to perform an authentication request, you have to authenticate as:

" - + "    user name: basic
" - + "    password: basic
"); + .addElement(WebGoatI18N.get("BasicAuthenticationReallyClose")); + } else { - ec.addElement("Use the hints! One at a time..."); + ec.addElement(WebGoatI18N.get("BasicAuthenticationUseTheHints")); } } } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } @@ -252,22 +245,19 @@ public class BasicAuthentication extends SequentialLessonAdapter // switch ( stage ) // { // case 1: - hints.add("Basic authentication uses a cookie to pass the credentials. " - + "Use a proxy to intercept the request. Look at the cookies."); - hints.add("Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials."); - hints.add("Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials."); - hints.add("Use WebScarab -> Tools -> Transcoder to Base64 decode the " - + "the value in the Authorization cookie."); + hints.add(WebGoatI18N.get("BasicAuthenticationHint1")); + hints.add(WebGoatI18N.get("BasicAuthenticationHint2")); + hints.add(WebGoatI18N.get("BasicAuthenticationHint3")); + hints.add(WebGoatI18N.get("BasicAuthenticationHint4")); + // break; // case 2: - hints.add("Basic authentication uses a cookie to pass the credentials. " - + "Use a proxy to intercept the request. Look at the cookies."); - hints.add("Before the WebServer requests credentials from the client, the current " - + "session is checked for validitity."); - hints.add("If the session is invalid the webserver will use the basic authentication credentials"); - hints.add("If the session is invalid and the basic authentication credentials are invalid, " - + "new credentials will be requested from the client."); - hints.add("Intercept the request and corrupt the JSESSIONID and the Authorization header."); + hints.add(WebGoatI18N.get("BasicAuthenticationHint5")); + hints.add(WebGoatI18N.get("BasicAuthenticationHint6")); + hints.add(WebGoatI18N.get("BasicAuthenticationHint7")); + hints.add(WebGoatI18N.get("BasicAuthenticationHint8")); + hints.add(WebGoatI18N.get("BasicAuthenticationHint9")); + // break; // } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java index fdc592aa3..3ee6092a9 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java @@ -16,6 +16,7 @@ import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.util.Exec; import org.owasp.webgoat.util.ExecResults; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -78,7 +79,7 @@ public class CommandInjection extends LessonAdapter } index = index + 1; int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote - System.out.println("Command = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]"); + System.out.println(WebGoatI18N.get("Command")+" = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]"); if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase() .equals("netstat -a") || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir") @@ -96,9 +97,8 @@ public class CommandInjection extends LessonAdapter } else { - s.setMessage("It appears that you are on the right track. " - + "Commands that may compromise the operating system have been disabled. " - + "The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig"); + s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack1")); + } } @@ -114,9 +114,7 @@ public class CommandInjection extends LessonAdapter } else { - s.setMessage("It appears that you are on the right track. " - + "Commands that may compromise the operating system have been disabled. " - + "This lesson is a command injection lesson, not access control."); + s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack2")); } } else @@ -125,10 +123,10 @@ public class CommandInjection extends LessonAdapter illegalCommand = false; } } - File safeDir = new File(s.getContext().getRealPath("/lesson_plans")); + File safeDir = new File(s.getContext().getRealPath("/lesson_plans/English")); - ec.addElement(new StringElement("You are currently viewing: " - + (helpFile.toString().length() == 0 ? "<select file from list below>" : helpFile.toString()) + ec.addElement(new StringElement(WebGoatI18N.get("YouAreCurrentlyViewing")+"" + + (helpFile.toString().length() == 0 ? "<"+WebGoatI18N.get("SelectFileFromListBelow")+">" : helpFile.toString()) + "")); if (!illegalCommand) @@ -153,11 +151,11 @@ public class CommandInjection extends LessonAdapter fileData = exec(s, cmd2); } - ec.addElement(new P().addElement("Select the lesson plan to view: ")); + ec.addElement(new P().addElement(WebGoatI18N.get("SelectLessonPlanToView"))); ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html", "\\.help")))); // ec.addElement( results ); - Element b = ECSFactory.makeButton("View"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("View")); ec.addElement(b); // Strip out some of the extra html from the "help" file ec.addElement(new BR()); @@ -272,27 +270,14 @@ public class CommandInjection extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("The application is using a system command to return the contents of a file."); - hints - .add("The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)"); - hints.add("Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix."); - hints.add("Note that the server may enclose the submitted file name within quotes"); + hints.add(WebGoatI18N.get("CommandInjectionHint1")); + hints.add(WebGoatI18N.get("CommandInjectionHint2")); + hints.add(WebGoatI18N.get("CommandInjectionHint3")); + hints.add(WebGoatI18N.get("CommandInjectionHint4")); return hints; } - /** - * Gets the instructions attribute of the ParameterInjection object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "Choose the lesson plan you would like to view. " - + "Try to inject a command to the operating system."; - - return (instructions); - } private final static Integer DEFAULT_RANKING = new Integer(40); diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java index ff21886b8..ce18071a4 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java @@ -22,6 +22,7 @@ import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -106,7 +107,7 @@ public class HiddenFieldTampering extends LessonAdapter total = quantity * Float.parseFloat(price); } catch (Exception e) { - s.setMessage("Invaild data " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("Invaild data") + this.getClass().getName()); price = PRICE_TV; quantity = 1.0f; total = quantity * Float.parseFloat(PRICE_TV); @@ -115,7 +116,7 @@ public class HiddenFieldTampering extends LessonAdapter if (price.equals(PRICE_TV)) { - ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart "))); + ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart")))); ec.addElement(new BR()); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); @@ -125,10 +126,10 @@ public class HiddenFieldTampering extends LessonAdapter } TR tr = new TR(); - tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%")); - tr.addElement(new TH().addElement("Price").setWidth("10%")); - tr.addElement(new TH().addElement("Quantity").setWidth("3%")); - tr.addElement(new TH().addElement("Total").setWidth("7%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%")); t.addElement(tr); tr = new TR(); @@ -149,10 +150,10 @@ public class HiddenFieldTampering extends LessonAdapter ec.addElement(new BR()); tr = new TR(); - tr.addElement(new TD().addElement("The total charged to your credit card:")); + tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":")); tr.addElement(new TD().addElement(money.format(total))); - tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart"))); - tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()"))); + tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart")))); + tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("Purchase"), "validate()"))); t.addElement(tr); ec.addElement(t); @@ -169,10 +170,10 @@ public class HiddenFieldTampering extends LessonAdapter makeSuccess(s); } - ec.addElement(new P().addElement("Your total price is:")); + ec.addElement(new P().addElement(WebGoatI18N.get("TotalPriceIs")+":")); ec.addElement(new B("$" + total)); ec.addElement(new BR()); - ec.addElement(new P().addElement("This amount will be charged to your credit card immediately.")); + ec.addElement(new P().addElement(WebGoatI18N.get("ThisAmountCharged"))); } return (ec); @@ -196,26 +197,15 @@ public class HiddenFieldTampering extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("This application is using hidden fields to transmit price information to the server."); - hints.add("Use a program to intercept and change the value in the hidden field."); - hints - .add("Use WebScarab to change the price of the TV from " - + PRICE_TV + " to " + PRICE_TV_HACKED + "."); - + + hints.add(WebGoatI18N.get("HiddenFieldTamperingHint1")); + hints.add(WebGoatI18N.get("HiddenFieldTamperingHint2")); + hints.add(WebGoatI18N.get("HiddenFieldTamperingHint3")+ PRICE_TV +WebGoatI18N.get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED ); + return hints; } - /** - * Gets the instructions attribute of the HiddenFieldTampering object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already."; - - return (instructions); - } + private final static Integer DEFAULT_RANKING = new Integer(50); diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java index 879bce3b5..0a5e0b6e6 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java @@ -19,6 +19,7 @@ import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -107,7 +108,7 @@ public class HtmlClues extends LessonAdapter { makeSuccess(s); - s.setMessage("BINGO -- admin authenticated"); + s.setMessage(WebGoatI18N.get("HtmlCluesBINGO")); ec.addElement(makeUser(s, "admin", "CREDENTIALS")); } else @@ -138,8 +139,8 @@ public class HtmlClues extends LessonAdapter protected Element makeUser(WebSession s, String user, String method) throws Exception { ElementContainer ec = new ElementContainer(); - ec.addElement(new P().addElement("Welcome, " + user)); - ec.addElement(new P().addElement("You have been authenticated with " + method)); + ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser")+ user)); + ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method)); return (ec); } @@ -158,12 +159,12 @@ public class HtmlClues extends LessonAdapter TR tr = new TR(); tr.addElement(new TH() - .addElement("Please sign in to your account. See the OWASP admin if you do not have an account.") + .addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn")) .setColSpan(2).setAlign("left")); t.addElement(tr); tr = new TR(); - tr.addElement(new TD().addElement("*Required Fields").setWidth("30%")); + tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%")); t.addElement(tr); tr = new TR(); @@ -172,8 +173,8 @@ public class HtmlClues extends LessonAdapter TR row1 = new TR(); TR row2 = new TR(); - row1.addElement(new TD(new B(new StringElement("*User Name: ")))); - row2.addElement(new TD(new B(new StringElement("*Password: ")))); + row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")+": ")))); + row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")+": ")))); Input input1 = new Input(Input.TEXT, USERNAME, ""); Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); @@ -182,7 +183,7 @@ public class HtmlClues extends LessonAdapter t.addElement(row1); t.addElement(row2); - Element b = ECSFactory.makeButton("Login"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); t.addElement(new TR(new TD(b))); ec.addElement(t); @@ -197,24 +198,14 @@ public class HtmlClues extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("You can view the HTML source by selecting 'view source' in the browser menu."); - hints.add("There are lots of clues in the HTML"); - hints.add("Search for the word HIDDEN, look at URLs, look for comments."); - + hints.add(WebGoatI18N.get("HtmlCluesHint1")); + hints.add(WebGoatI18N.get("HtmlCluesHint2")); + hints.add(WebGoatI18N.get("HtmlCluesHint3")); + return hints; } - /** - * Gets the instructions attribute of the HtmlClues object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "Below is an example of a forms based authentication form. Look for clues to help you log in."; - return (instructions); - } private final static Integer DEFAULT_RANKING = new Integer(30); diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java index 60b9c2c3a..aa162aa7c 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java @@ -9,6 +9,7 @@ import org.apache.ecs.StringElement; import org.apache.ecs.html.Input; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -59,7 +60,7 @@ public class HttpBasics extends LessonAdapter StringBuffer person = null; try { - ec.addElement(new StringElement("Enter your name: ")); + ec.addElement(new StringElement(WebGoatI18N.get("EnterYourName")+": ")); person = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); person.reverse(); @@ -67,7 +68,7 @@ public class HttpBasics extends LessonAdapter Input input = new Input(Input.TEXT, PERSON, person.toString()); ec.addElement(input); - Element b = ECSFactory.makeButton("Go!"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); ec.addElement(b); } catch (Exception e) { diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java index afd02d6c8..b2dbe0fbc 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java @@ -14,6 +14,7 @@ import org.apache.ecs.html.Input; import org.apache.ecs.html.P; import org.apache.ecs.html.TextArea; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -124,28 +125,28 @@ public class JavaScriptValidation extends LessonAdapter b.setType(Input.BUTTON); b.setValue("Submit"); b.addAttribute("onclick", "validate();"); - ec.addElement(new Div().addElement(new StringElement("Field1: exactly three lowercase characters (" + ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("3LowerCase")+"(" + regex1 + ")"))); ec.addElement(new Div().addElement(input1)); ec.addElement(new P()); - ec.addElement(new Div().addElement(new StringElement("Field2: exactly three digits (" + regex2 + ")"))); + ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("Exactly3Digits")+"(" + regex2 + ")"))); ec.addElement(new Div().addElement(input2)); ec.addElement(new P()); - ec.addElement(new Div().addElement(new StringElement("Field3: letters, numbers, and space only (" + regex3 + ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("LettersNumbersSpaceOnly")+"(" + regex3 + ")"))); ec.addElement(new Div().addElement(input3)); ec.addElement(new P()); - ec.addElement(new Div().addElement(new StringElement("Field4: enumeration of numbers (" + regex4 + ")"))); + ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("EnumerationOfNumbers")+" (" + regex4 + ")"))); ec.addElement(new Div().addElement(input4)); ec.addElement(new P()); - ec.addElement(new Div().addElement(new StringElement("Field5: simple zip code (" + regex5 + ")"))); + ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("SimpleZipCode")+ " (" + regex5 + ")"))); ec.addElement(new Div().addElement(input5)); ec.addElement(new P()); ec.addElement(new Div() - .addElement(new StringElement("Field6: zip with optional dash four (" + regex6 + ")"))); + .addElement(new StringElement(WebGoatI18N.get("ZIPDashFour")+" (" + regex6 + ")"))); ec.addElement(new Div().addElement(input6)); ec.addElement(new P()); - ec.addElement(new Div().addElement(new StringElement("Field7: US phone number with or without dashes (" + ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("USPhoneNumber")+ " (" + regex7 + ")"))); ec.addElement(new Div().addElement(input7)); ec.addElement(new P()); @@ -160,43 +161,43 @@ public class JavaScriptValidation extends LessonAdapter if (!pattern1.matcher(param1).matches()) { err++; - msg += "
Server side validation violation: You succeeded for Field1."; + msg += "
"+WebGoatI18N.get("ServerSideValidationViolation")+" Field1."; } if (!pattern2.matcher(param2).matches()) { err++; - msg += "
Server side validation violation: You succeeded for Field2."; + msg += "
"+WebGoatI18N.get("ServerSideValidationViolation")+" Field2."; } if (!pattern3.matcher(param3).matches()) { err++; - msg += "
Server side validation violation: You succeeded for Field3."; + msg += "
"+WebGoatI18N.get("ServerSideValidationViolation")+"Field3."; } if (!pattern4.matcher(param4).matches()) { err++; - msg += "
Server side validation violation: You succeeded for Field4."; + msg += "
"+WebGoatI18N.get("ServerSideValidationViolation")+"Field4."; } if (!pattern5.matcher(param5).matches()) { err++; - msg += "
Server side validation violation: You succeeded for Field5."; + msg += "
"+WebGoatI18N.get("ServerSideValidationViolation")+"Field5."; } if (!pattern6.matcher(param6).matches()) { err++; - msg += "
Server side validation violation: You succeeded for Field6."; + msg += "
"+WebGoatI18N.get("ServerSideValidationViolation")+"Field6."; } if (!pattern7.matcher(param7).matches()) { err++; - msg += "
Server side validation violation: You succeeded for Field7."; + msg += "
"+WebGoatI18N.get("ServerSideValidationViolation")+"Field7."; } if (err > 0) @@ -212,7 +213,7 @@ public class JavaScriptValidation extends LessonAdapter catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } @@ -237,27 +238,14 @@ public class JavaScriptValidation extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - - hints.add("The validation is happening in your browser."); - hints.add("Try modifying the values with a proxy after they leave your browser"); - hints.add("Another way is to delete the JavaScript before you view the page."); + hints.add(WebGoatI18N.get("JavaScriptValidationHint1")); + hints.add(WebGoatI18N.get("JavaScriptValidationHint2")); + hints.add(WebGoatI18N.get("JavaScriptValidationHint3")); + return hints; } - /** - * Gets the instructions attribute of the WeakAccessControl object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "This website performs both client and server side validation. " - + "For this exercise, your job is to break the client side validation and send the " - + " website input that it wasn't expecting." - + " You must break all 7 validators at the same time. "; - return (instructions); - } private final static Integer DEFAULT_RANKING = new Integer(120); diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java index 8284e5376..7c067d9e6 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java @@ -16,6 +16,7 @@ import org.apache.ecs.html.TD; import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -165,9 +166,10 @@ public abstract class LessonAdapter extends AbstractLesson public String getInstructions(WebSession s) { StringBuffer buff = new StringBuffer(); + String lang = s.getCurrrentLanguage(); try { - String fileName = s.getWebResource(getLessonPlanFileName()); + String fileName = s.getWebResource(getLessonPlanFileName(lang)); if (fileName != null) { BufferedReader in = new BufferedReader(new FileReader(fileName)); @@ -241,7 +243,7 @@ public abstract class LessonAdapter extends AbstractLesson { getLessonTracker(s).setCompleted(true); - s.setMessage("Congratulations. You have successfully completed this lesson."); + s.setMessage(WebGoatI18N.get("LessonCompleted")); return (null); } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java index 98a1bb3ae..d3cbb36f4 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java @@ -17,6 +17,7 @@ import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -73,15 +74,15 @@ public class LogSpoofing extends LessonAdapter TR row2 = new TR(); TR row3 = new TR(); - row1.addElement(new TD(new StringElement("Username: "))); + row1.addElement(new TD(new StringElement(WebGoatI18N.get("UserName")+":"))); Input username = new Input(Input.TEXT, USERNAME, ""); row1.addElement(new TD(username)); - row2.addElement(new TD(new StringElement("Password: "))); + row2.addElement(new TD(new StringElement(WebGoatI18N.get("Password")+": "))); Input password = new Input(Input.PASSWORD, PASSWORD, ""); row2.addElement(new TD(password)); - Element b = ECSFactory.makeButton("Login"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); row3.addElement(new TD(new StringElement("  "))); row3.addElement(new TD(b)).setAlign("right"); @@ -102,7 +103,7 @@ public class LogSpoofing extends LessonAdapter Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); TR row4 = new TR(); - row4.addElement(new TD(new PRE("Login failed for username: " + inputUsername))).setBgColor(HtmlColor.GRAY); + row4.addElement(new TD(new PRE(WebGoatI18N.get("LoginFailedForUserName")+": " + inputUsername))).setBgColor(HtmlColor.GRAY); t2.addElement(row4); @@ -111,7 +112,7 @@ public class LogSpoofing extends LessonAdapter if (inputUsername.length() != 0 && inputUsername.toUpperCase().indexOf( System.getProperty("line.separator") - + "LOGIN SUCCEEDED FOR USERNAME:") >= 0) + + WebGoatI18N.get("LoginSucceededForUserName")+":") >= 0) { makeSuccess(s); } @@ -134,12 +135,10 @@ public class LogSpoofing extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("Try to fool the human eye by using new lines."); - hints.add("Use CR (%0d) and LF (%0a) for a new line."); - hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin"); - hints - .add("Try: Smith%0d%0aLogin Succeeded for username: admin<script>alert(document.cookie)</script>"); - + hints.add(WebGoatI18N.get("LogSpoofingHint1")); + hints.add(WebGoatI18N.get("LogSpoofingHint2")); + hints.add(WebGoatI18N.get("LogSpoofingHint3")); + hints.add(WebGoatI18N.get("LogSpoofingHint4")); return hints; } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java index f6e776b4d..a8a234929 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java @@ -16,6 +16,7 @@ import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -66,7 +67,7 @@ public class PathBasedAccessControl extends LessonAdapter try { - String dir = s.getContext().getRealPath("/lesson_plans"); + String dir = s.getContext().getRealPath("/lesson_plans/English"); File d = new File(dir); Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center"); @@ -77,8 +78,8 @@ public class PathBasedAccessControl extends LessonAdapter } String[] list = d.list(); - String listing = "

Current Directory is: " + Encoding.urlDecode(dir) - + "

Choose the file to view:

"; + String listing = "

"+WebGoatI18N.get("CurrentDirectory")+" " + Encoding.urlDecode(dir) + + "

"+WebGoatI18N.get("ChooseFileToView")+"

"; TR tr = new TR(); tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing))); @@ -86,7 +87,7 @@ public class PathBasedAccessControl extends LessonAdapter tr = new TR(); tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15))); - tr.addElement(new TD().addElement(ECSFactory.makeButton("View File"))); + tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("ViewFile")))); t.addElement(tr); ec.addElement(t); @@ -105,17 +106,13 @@ public class PathBasedAccessControl extends LessonAdapter // file if (upDirCount(file) == 3 && !file.endsWith("LICENSE")) { - s.setMessage("Access denied"); - s.setMessage("It appears that you are on the right track. " - + "Commands that may compromise the operating system have been disabled. " - + "You are only allowed to see one file in this directory. "); + s.setMessage(WebGoatI18N.get("AccessDenied")); + s.setMessage(WebGoatI18N.get("ItAppears1")); } else if (upDirCount(file) > 3) { - s.setMessage("Access denied"); - s.setMessage("It appears that you are on the right track. " - + "Commands that may compromise the operating system have been disabled. " - + "You are only allowed to see files in the webgoat directory. "); + s.setMessage(WebGoatI18N.get("AccessDenied")); + s.setMessage(WebGoatI18N.get("ItAppears2")); } else { @@ -134,13 +131,13 @@ public class PathBasedAccessControl extends LessonAdapter if (s.isDebug()) { - s.setMessage("File: " + file); - s.setMessage("Dir: " + dir); + s.setMessage(WebGoatI18N.get("File") + file); + s.setMessage(WebGoatI18N.get("Dir")+ dir); // s.setMessage("File URI: " + "file:///" + // (Encoding.urlEncode(dir) + "\\" + // Encoding.urlEncode(file)).replaceAll("\\\\","/")); - s.setMessage(" - isFile(): " + f.isFile()); - s.setMessage(" - exists(): " + f.exists()); + s.setMessage(WebGoatI18N.get("IsFile")+ f.isFile()); + s.setMessage(WebGoatI18N.get("Exists") + f.exists()); } if (!illegalCommand) { @@ -150,21 +147,21 @@ public class PathBasedAccessControl extends LessonAdapter // directory listing we gave them. if (upDirCount(file) >= 1) { - s.setMessage("Congratulations! Access to file allowed"); + s.setMessage(WebGoatI18N.get("CongratsAccessToFileAllowed")); s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); makeSuccess(s); } else { - s.setMessage("File is already in allowed directory - try again!"); + s.setMessage(WebGoatI18N.get("FileInAllowedDirectory")); s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); } } else if (file != null && file.length() != 0) { s - .setMessage("Access to file/directory \"" + Encoding.urlDecode(f.getCanonicalPath()) - + "\" denied"); + .setMessage(WebGoatI18N.get("AccessToFileDenied1") + Encoding.urlDecode(f.getCanonicalPath()) + + WebGoatI18N.get("AccessToFileDenied2")); } else { @@ -178,11 +175,11 @@ public class PathBasedAccessControl extends LessonAdapter ec.addElement(new BR()); ec.addElement(new BR()); ec.addElement(new HR().setWidth("100%")); - ec.addElement("Viewing file: " + f.getCanonicalPath()); + ec.addElement(WebGoatI18N.get("ViewingFile")+ f.getCanonicalPath()); ec.addElement(new HR().setWidth("100%")); - if (f.length() > 80000) { throw new Exception("File is too large"); } + if (f.length() > 80000) { throw new Exception(WebGoatI18N.get("FileTooLarge")); } String fileData = getFileText(new BufferedReader(new FileReader(f)), false); - if (fileData.indexOf(0x00) != -1) { throw new Exception("File is binary"); } + if (fileData.indexOf(0x00) != -1) { throw new Exception(WebGoatI18N.get("FileBinary")); } ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "
") .replaceAll("(?s)", "").replaceAll("

", "
") .replaceAll("
\\s
", "
").replaceAll("<\\?", "<").replaceAll("<(r|u|t)", @@ -190,13 +187,13 @@ public class PathBasedAccessControl extends LessonAdapter } catch (Exception e) { ec.addElement(new BR()); - ec.addElement("The following error occurred while accessing the file: <"); + ec.addElement(WebGoatI18N.get("TheFollowingError")); ec.addElement(e.getMessage()); } } } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating")+ this.getClass().getName()); e.printStackTrace(); } @@ -233,11 +230,11 @@ public class PathBasedAccessControl extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("Most operating systems allow special characters in the path."); - hints.add("Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory"); - hints.add("Try .. in the path"); - hints.add("Try ..\\..\\..\\LICENSE"); - + hints.add(WebGoatI18N.get("PathBasedAccessControlHint1")); + hints.add(WebGoatI18N.get("PathBasedAccessControlHint2")); + hints.add(WebGoatI18N.get("PathBasedAccessControlHint3")); + hints.add(WebGoatI18N.get("PathBasedAccessControlHint4")); + return hints; } @@ -248,11 +245,7 @@ public class PathBasedAccessControl extends LessonAdapter */ public String getInstructions(WebSession s) { - String instructions = "The '" + s.getUserName() + "' user has access to all the files in the " - + "lesson_plans directory. Try to break the access control mechanism and access a " - + "resource that is not in the listed directory. After selecting a file to view, WebGoat " - + "will report if access to the file was granted. An interesting file to try and obtain might " - + "be a file like tomcat/conf/tomcat-users.xml"; + String instructions = WebGoatI18N.get("PathBasedAccessControlInstr1")+ s.getUserName() + WebGoatI18N.get("PathBasedAccessControlInstr2"); return (instructions); } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java index f0634fe19..c03ff8138 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java @@ -19,6 +19,7 @@ import org.apache.ecs.html.Table; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.util.HtmlEncoder; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -87,13 +88,13 @@ public class ReflectedXSS extends LessonAdapter makeSuccess(s); } - s.setMessage("Whoops! You entered " + param1 + " instead of your three digit code. Please try again."); + s.setMessage(WebGoatI18N.get("ReflectedXSSWhoops1")+ param1 + WebGoatI18N.get("ReflectedXSSWhoops2")); } // FIXME: encode output of field2, then s.setMessage( field2 ); ec.addElement(new HR().setWidth("90%")); - ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart "))); + ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart")))); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); if (s.isColor()) @@ -102,10 +103,10 @@ public class ReflectedXSS extends LessonAdapter } TR tr = new TR(); - tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%")); - tr.addElement(new TH().addElement("Price").setWidth("10%")); - tr.addElement(new TH().addElement("Quantity").setWidth("3%")); - tr.addElement(new TH().addElement("Total").setWidth("7%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%")); + tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%")); t.addElement(tr); tr = new TR(); @@ -170,24 +171,24 @@ public class ReflectedXSS extends LessonAdapter ec.addElement(new BR()); tr = new TR(); - tr.addElement(new TD().addElement("The total charged to your credit card:")); + tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":")); tr.addElement(new TD().addElement(money.format(runningTotal))); - tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart"))); + tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart")))); t.addElement(tr); tr = new TR(); tr.addElement(new TD().addElement(" ").setColSpan(2)); t.addElement(tr); tr = new TR(); - tr.addElement(new TD().addElement("Enter your credit card number:")); + tr.addElement(new TD().addElement(WebGoatI18N.get("EnterCreditCard")+":")); tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2))); t.addElement(tr); tr = new TR(); - tr.addElement(new TD().addElement("Enter your three digit access code:")); + tr.addElement(new TD().addElement(WebGoatI18N.get("Enter3DigitCode")+":")); tr.addElement(new TD().addElement("")); // tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1))); t.addElement(tr); - Element b = ECSFactory.makeButton("Purchase"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Purchase")); tr = new TR(); tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center")); t.addElement(tr); @@ -197,7 +198,7 @@ public class ReflectedXSS extends LessonAdapter ec.addElement(new HR().setWidth("90%")); } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } return (ec); @@ -221,16 +222,12 @@ public class ReflectedXSS extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("A simple script is <SCRIPT>alert('bang!');</SCRIPT>."); - hints.add("Can you get the script to disclose the JSESSIONID cookie?"); - hints.add("You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie"); - hints.add("Can you get the script to access the credit card form field?"); - hints - .add("Try a cross site trace (XST) Command:
" - + "<script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1)" - + " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);" - + " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); " - + "document.write(str1);}</script>"); + hints.add(WebGoatI18N.get("ReflectedXSSHint1")); + hints.add(WebGoatI18N.get("ReflectedXSSHint2")); + hints.add(WebGoatI18N.get("ReflectedXSSHint3")); + hints.add(WebGoatI18N.get("ReflectedXSSHint4")); + hints.add(WebGoatI18N.get("ReflectedXSSHint5")); + return hints; } @@ -238,16 +235,7 @@ public class ReflectedXSS extends LessonAdapter // = new // ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); // xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);} - /** - * Gets the instructions attribute of the WeakAccessControl object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad."; - return (instructions); - } + private final static Integer DEFAULT_RANKING = new Integer(120); diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java index dd56eea5b..62262abf9 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java @@ -6,6 +6,7 @@ import java.util.List; import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -56,11 +57,6 @@ public class RemoteAdminFlaw extends LessonAdapter { makeSuccess(s); } - else - { - ec.addElement("WebGoat has an admin interface. To 'complete' this lesson you must figure " - + "out how to access the administrative interface for WebGoat."); - } return ec; } @@ -83,12 +79,11 @@ public class RemoteAdminFlaw extends LessonAdapter public List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("WebGoat has 2 admin interfaces."); - hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'"); - hints - .add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'"); - hints.add("Follow the Source!"); - hints.add("On success you will see new submenu items in the menupoint 'Admin Functions'"); + hints.add(WebGoatI18N.get("RemoteAdminFlawHint1")); + hints.add(WebGoatI18N.get("RemoteAdminFlawHint2")); + hints.add(WebGoatI18N.get("RemoteAdminFlawHint3")); + hints.add(WebGoatI18N.get("RemoteAdminFlawHint4")); + hints.add(WebGoatI18N.get("RemoteAdminFlawHint5")); return hints; } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java index 3ddaaed41..0badb9b31 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java @@ -22,6 +22,7 @@ import org.apache.ecs.html.Select; import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -129,18 +130,15 @@ public class SqlNumericInjection extends SequentialLessonAdapter makeSuccess(s); getLessonTracker(s).setStage(2); StringBuffer msg = new StringBuffer(); - - msg.append("Bet you can't do it again! "); - msg.append("This lesson has detected your successfull attack "); - msg.append("and has now switched to a defensive mode. "); - msg.append("Try again to attack a parameterized query."); + + msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage")); s.setMessage(msg.toString()); } } else { - ec.addElement("No results matched. Try Again."); + ec.addElement(WebGoatI18N.get("NoResultsMatched")); } } catch (SQLException sqle) @@ -149,7 +147,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter } } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } @@ -160,8 +158,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter { ElementContainer ec = new ElementContainer(); - ec.addElement("Now that you have successfully performed an SQL injection, try the same " - + " type of attack on a parameterized query."); + ec.addElement(WebGoatI18N.get("NumericSqlInjectionSecondStage2")); // if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart")) // { // getLessonTracker(s).setStage(1); @@ -205,14 +202,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter } else { - ec.addElement("No results matched. Try Again."); + ec.addElement(WebGoatI18N.get("NoResultsMatched")); } } catch (SQLException sqle) { ec.addElement(new P().addElement(sqle.getMessage())); } catch (NumberFormatException npe) { - ec.addElement(new P().addElement("Error parsing station as a number: " + npe.getMessage())); + ec.addElement(new P().addElement(WebGoatI18N.get("ErrorParsingAsNumber") + npe.getMessage())); } } catch (Exception e) { @@ -227,7 +224,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter { ElementContainer ec = new ElementContainer(); - ec.addElement(new P().addElement("Select your local weather station: ")); + ec.addElement(new P().addElement(WebGoatI18N.get("SelectYourStation"))); Map stations = getStations(s); Select select = new Select(STATION_ID); @@ -240,7 +237,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter ec.addElement(select); ec.addElement(new P()); - Element b = ECSFactory.makeButton("Go!"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); ec.addElement(b); return ec; @@ -310,13 +307,12 @@ public class SqlNumericInjection extends SequentialLessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints - .add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command."); - hints.add("This is the code for the query being built and issued by WebGoat:

" - + "\"SELECT * FROM weather_data WHERE station = \" + station "); - hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. " - + "Try appending a SQL statement that always resolves to true."); - hints.add("Try to intercept the post request with WebScarab and replace the station " + "with [ 101 OR 1 = 1 ]."); + hints.add(WebGoatI18N.get("SqlNumericInjectionHint1")); + hints.add(WebGoatI18N.get("SqlNumericInjectionHint2")); + hints.add(WebGoatI18N.get("SqlNumericInjectionHint3")); + hints.add(WebGoatI18N.get("SqlNumericInjectionHint4")); + + return hints; } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java index b5ab7b2d9..fd9d4dfd4 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java @@ -18,6 +18,7 @@ import org.apache.ecs.html.PRE; import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -113,17 +114,14 @@ public class SqlStringInjection extends SequentialLessonAdapter StringBuffer msg = new StringBuffer(); - msg.append("Bet you can't do it again! "); - msg.append("This lesson has detected your successful attack "); - msg.append("and has now switched to a defensive mode. "); - msg.append("Try again to attack a parameterized query."); + msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage1")); s.setMessage(msg.toString()); } } else { - ec.addElement("No results matched. Try Again."); + ec.addElement(WebGoatI18N.get("NoResultsMatched")); } } catch (SQLException sqle) { @@ -132,7 +130,7 @@ public class SqlStringInjection extends SequentialLessonAdapter } } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } @@ -143,9 +141,7 @@ public class SqlStringInjection extends SequentialLessonAdapter { ElementContainer ec = new ElementContainer(); - ec.addElement("Now that you have successfully performed an SQL injection, try the same " - + " type of attack on a parameterized query. Restart the lesson if you wish " - + " to return to the injectable query"); + ec.addElement(WebGoatI18N.get("StringSqlInjectioNSecondStage")); if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart")) { getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1"); @@ -184,7 +180,7 @@ public class SqlStringInjection extends SequentialLessonAdapter } else { - ec.addElement("No results matched. Try Again."); + ec.addElement(WebGoatI18N.get("NoResultsMatched")); } } catch (SQLException sqle) { @@ -192,7 +188,7 @@ public class SqlStringInjection extends SequentialLessonAdapter } } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } @@ -202,13 +198,13 @@ public class SqlStringInjection extends SequentialLessonAdapter protected Element makeAccountLine(WebSession s) { ElementContainer ec = new ElementContainer(); - ec.addElement(new P().addElement("Enter your last name: ")); + ec.addElement(new P().addElement(WebGoatI18N.get("EnterLastName"))); accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name"); Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString()); ec.addElement(input); - Element b = ECSFactory.makeButton("Go!"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); ec.addElement(b); return ec; @@ -233,12 +229,11 @@ public class SqlStringInjection extends SequentialLessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command."); - hints.add("This is the code for the query being built and issued by WebGoat:

" - + "\"SELECT * FROM user_data WHERE last_name = \" + accountName "); - hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR." - + "Try appending a SQL statement that always resolves to true"); - hints.add("Try entering [ smith' OR '1' = '1 ]."); + + hints.add(WebGoatI18N.get("SqlStringInjectionHint1")); + hints.add(WebGoatI18N.get("SqlStringInjectionHint2")); + hints.add(WebGoatI18N.get("SqlStringInjectionHint3")); + hints.add(WebGoatI18N.get("SqlStringInjectionHint4")); return hints; } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java index e0d118f2f..df1d55a68 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java @@ -23,6 +23,7 @@ import org.apache.ecs.html.Table; import org.apache.ecs.html.TextArea; import org.owasp.webgoat.session.*; import org.owasp.webgoat.util.HtmlEncoder; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -114,7 +115,7 @@ public class StoredXss extends LessonAdapter // like "Characters found after end of SQL statement." if (e.getMessage().indexOf("No ResultSet was produced") == -1) { - s.setMessage("Could not add message to database"); + s.setMessage(WebGoatI18N.get("CouldNotAddMessage")); } e.printStackTrace(); } @@ -159,11 +160,12 @@ public class StoredXss extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("You can put HTML tags in your message."); - hints.add("Bury a SCRIPT tag in the message to attack anyone who reads it."); - hints - .add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in the message field."); - hints.add("Enter this: <script>alert(document.cookie);</script> in the message field."); + hints.add(WebGoatI18N.get("StoredXssHint1")); + hints.add(WebGoatI18N.get("StoredXssHint1")); + hints.add(WebGoatI18N.get("StoredXssHint1")); + hints.add(WebGoatI18N.get("StoredXssHint1")); + + return hints; } @@ -217,14 +219,14 @@ public class StoredXss extends LessonAdapter if ((results != null) && results.first()) { - ec.addElement(new H1("Message Contents For: " + results.getString(TITLE_COL))); + ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor")+": " + results.getString(TITLE_COL))); Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); - TR row1 = new TR(new TD(new B(new StringElement("Title:")))); + TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title")+":")))); row1.addElement(new TD(new StringElement(results.getString(TITLE_COL)))); t.addElement(row1); String messageData = results.getString(MESSAGE_COL); - TR row2 = new TR(new TD(new B(new StringElement("Message:")))); + TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message")+":")))); row2.addElement(new TD(new StringElement(messageData))); t.addElement(row2); @@ -234,7 +236,7 @@ public class StoredXss extends LessonAdapter // message, // they can see that the message is attributed to that user - TR row3 = new TR(new TD(new StringElement("Posted By:"))); + TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy")+":"))); row3.addElement(new TD(new StringElement(results.getString(USER_COL)))); t.addElement(row3); @@ -253,12 +255,12 @@ public class StoredXss extends LessonAdapter { if (messageNum != 0) { - ec.addElement(new P().addElement("Could not find message " + messageNum)); + ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum)); } } } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } @@ -277,14 +279,14 @@ public class StoredXss extends LessonAdapter Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); TR row1 = new TR(); TR row2 = new TR(); - row1.addElement(new TD(new StringElement("Title: "))); + row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title")+": "))); Input inputTitle = new Input(Input.TEXT, TITLE, ""); row1.addElement(new TD(inputTitle)); TD item1 = new TD(); item1.setVAlign("TOP"); - item1.addElement(new StringElement("Message: ")); + item1.addElement(new StringElement(WebGoatI18N.get("Message")+": ")); row2.addElement(item1); TD item2 = new TD(); @@ -294,7 +296,7 @@ public class StoredXss extends LessonAdapter t.addElement(row1); t.addElement(row2); - Element b = ECSFactory.makeButton("Submit"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit")); ElementContainer ec = new ElementContainer(); ec.addElement(t); ec.addElement(new P().addElement(b)); @@ -343,11 +345,11 @@ public class StoredXss extends LessonAdapter } } catch (Exception e) { - s.setMessage("Error while getting message list."); + s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList")); } ElementContainer ec = new ElementContainer(); - ec.addElement(new H1("Message List")); + ec.addElement(new H1(WebGoatI18N.get("MessageList"))); ec.addElement(t); return (ec); diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java index def21b08a..66269b869 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java @@ -18,6 +18,7 @@ import org.apache.ecs.html.TH; import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.session.*; +import org.owasp.webgoat.util.WebGoatI18N; /*************************************************************************************************** @@ -103,7 +104,7 @@ public class WeakAuthenticationCookie extends LessonAdapter } else { - s.setMessage("Invalid cookie"); + s.setMessage(WebGoatI18N.get("InvalidCookie")); s.eatCookies(); } } @@ -141,14 +142,14 @@ public class WeakAuthenticationCookie extends LessonAdapter if (loginID != "") { Cookie newCookie = new Cookie(AUTHCOOKIE, loginID); - s.setMessage("Your identity has been remembered"); + s.setMessage(WebGoatI18N.get("IdentityRemembered")); s.getResponse().addCookie(newCookie); return (username); } else { - s.setMessage("Invalid username and password entered."); + s.setMessage(WebGoatI18N.get("InvalidUsernameAndPassword")); } } @@ -168,7 +169,7 @@ public class WeakAuthenticationCookie extends LessonAdapter if (logout) { - s.setMessage("Goodbye! Your password has been forgotten"); + s.setMessage(WebGoatI18N.get("PasswordForgotten")); s.eatCookies(); return (makeLogin(s)); @@ -185,7 +186,7 @@ public class WeakAuthenticationCookie extends LessonAdapter if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); } } catch (Exception e) { - s.setMessage("Error generating " + this.getClass().getName()); + s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } @@ -250,27 +251,16 @@ public class WeakAuthenticationCookie extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("The server authenticates the user using a cookie, if you send the right cookie."); - hints.add("Is the AuthCookie value guessable knowing the username and password?"); - hints.add("Add 'AuthCookie=********;' to the Cookie: header using " - + "WebScarab."); - hints.add("After logging in as webgoat a cookie is added. 65432ubphcfx
" - + "After logging in as aspect a cookie is added. 65432udfqtb
" - + "Is there anything similar about the cookies and the login names?"); + hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints1")); + hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints2")); + hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints3")); + hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints4")); + + return hints; } - /** - * Gets the instructions attribute of the WeakAuthenticationCookie object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice."; - return (instructions); - } private final static Integer DEFAULT_RANKING = new Integer(90); @@ -300,7 +290,7 @@ public class WeakAuthenticationCookie extends LessonAdapter { ElementContainer ec = new ElementContainer(); - ec.addElement(new H1().addElement("Sign In ")); + ec.addElement(new H1().addElement(WebGoatI18N.get("SignIn"))); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center"); if (s.isColor()) @@ -310,12 +300,12 @@ public class WeakAuthenticationCookie extends LessonAdapter TR tr = new TR(); tr.addElement(new TH() - .addElement("Please sign in to your account. See the OWASP admin if you do not have an account.") + .addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn")) .setColSpan(2).setAlign("left")); t.addElement(tr); tr = new TR(); - tr.addElement(new TD().addElement("*Required Fields").setWidth("30%")); + tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%")); t.addElement(tr); tr = new TR(); @@ -324,8 +314,8 @@ public class WeakAuthenticationCookie extends LessonAdapter TR row1 = new TR(); TR row2 = new TR(); - row1.addElement(new TD(new B(new StringElement("*User Name: ")))); - row2.addElement(new TD(new B(new StringElement("*Password: ")))); + row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName"))))); + row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password"))))); Input input1 = new Input(Input.TEXT, USERNAME, ""); Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); @@ -334,7 +324,7 @@ public class WeakAuthenticationCookie extends LessonAdapter t.addElement(row1); t.addElement(row2); - Element b = ECSFactory.makeButton("Login"); + Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); t.addElement(new TR(new TD(b))); ec.addElement(t); @@ -357,10 +347,10 @@ public class WeakAuthenticationCookie extends LessonAdapter protected Element makeUser(WebSession s, String user, String method) throws Exception { ElementContainer ec = new ElementContainer(); - ec.addElement(new P().addElement("Welcome, " + user)); - ec.addElement(new P().addElement("You have been authenticated with " + method)); - ec.addElement(new P().addElement(ECSFactory.makeLink("Logout", LOGOUT, true))); - ec.addElement(new P().addElement(ECSFactory.makeLink("Refresh", "", ""))); + ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser") + user)); + ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method)); + ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Logout"), LOGOUT, true))); + ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Refresh"), "", ""))); return (ec); } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java index ffadf10aa..17358f799 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java @@ -4,6 +4,7 @@ package org.owasp.webgoat.session; import java.io.File; import java.io.IOException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.Iterator; import java.util.List; @@ -16,6 +17,7 @@ import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.Category; + /*************************************************************************************************** * * @@ -59,6 +61,7 @@ public class Course private WebgoatContext webgoatContext; + public Course() { try @@ -71,6 +74,9 @@ public class Course } } + + + /** * Take an absolute file and return the filename. * @@ -368,6 +374,15 @@ public class Course } } + private String getLanguageFromFileName(String first, String absoluteFile){ + int p1 = absoluteFile.indexOf("/",absoluteFile.indexOf(first)+1); + int p2 = absoluteFile.indexOf("/",p1+1); + String langStr=absoluteFile.substring(p1+1,p2); + + + return new String(langStr); + } + /** * For each lesson, set the source file and lesson file */ @@ -402,7 +417,9 @@ public class Course // lesson " + // lesson.getClass().getName()); // System.out.println("fileName: " + fileName + " == className: " + className ); - lesson.setLessonPlanFileName(absoluteFile); + String language = getLanguageFromFileName("/lesson_plans",absoluteFile); + lesson.setLessonPlanFileName(language, absoluteFile); + this.webgoatContext.getWebgoatI18N().loadLanguage(language); } if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName)) diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java index d10ae0671..9c6daf0df 100644 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java @@ -23,6 +23,8 @@ import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.RandomLessonAdapter; import org.owasp.webgoat.lessons.SequentialLessonAdapter; +import org.owasp.webgoat.util.WebGoatI18N; + /*************************************************************************************************** @@ -143,6 +145,8 @@ public class WebSession public final static String DEBUG = "debug"; + public final static String LANGUAGE = "language"; + /** * Description of the Field */ @@ -198,6 +202,10 @@ public class WebSession private int currentMenu; + private String currentLanguage = null; + + + /** * Constructor for the WebSession object * @@ -215,7 +223,9 @@ public class WebSession showSource = webgoatContext.isShowSource(); showSolution = webgoatContext.isShowSolution(); showRequest = webgoatContext.isShowRequest(); + currentLanguage = webgoatContext.getDefaultLanguage(); this.context = context; + course = new Course(); course.loadCourses(webgoatContext, context, "/"); } @@ -290,6 +300,9 @@ public class WebSession return context; } + + + public List getRoles() { List roles = new ArrayList(); @@ -591,20 +604,6 @@ public class WebSession return (isAdmin); } - /** - * Sets the admin flag - this routine is ONLY - * here to allow someone a backdoor to setting the - * user up as an admin. - * - * This is also used by the WebSession to set the admin, but the method - * should be private - * - * @param state - */ - public void setAdmin(boolean state) - { - isAdmin = state; - } /** * Gets the hackedAdmin attribute of the WebSession object * @@ -728,7 +727,7 @@ public class WebSession */ public boolean isUser() { - return (!isAdmin() && !isChallenge()); + return (!isAdmin && !isChallenge()); } /** @@ -834,6 +833,12 @@ public class WebSession { myParser.update(request); } + + if(myParser.getRawParameter(LANGUAGE,null)!=null){ + this.currentLanguage=new String(myParser.getRawParameter(LANGUAGE,null)); + WebGoatI18N.setCurrentLanguage(this.currentLanguage); + } + // System.out.println("Current Screen 1: " + currentScreen ); // System.out.println("Previous Screen 1: " + previousScreen ); @@ -965,8 +970,8 @@ public class WebSession } - setAdmin(request.isUserInRole(WEBGOAT_ADMIN)); - isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin()); + isAdmin = request.isUserInRole(WEBGOAT_ADMIN); + isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin); if (isHackedAdmin) { System.out.println("Hacked admin"); @@ -1005,10 +1010,7 @@ public class WebSession { RandomLessonAdapter rla = (RandomLessonAdapter) al; rla.setStage(this, rla.getStages()[0]); - } - else if(al instanceof org.owasp.webgoat.lessons.MaliciousFileExecution) { - ((org.owasp.webgoat.lessons.MaliciousFileExecution) al).restartLesson(this); - } + } } /** @@ -1093,4 +1095,10 @@ public class WebSession { return webgoatContext; } + + public String getCurrrentLanguage() { + return currentLanguage; + } + + } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java index 61ca06ee7..ebb9b34d3 100755 --- a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java @@ -4,6 +4,8 @@ package org.owasp.webgoat.session; import java.util.Iterator; import javax.servlet.http.HttpServlet; +import org.owasp.webgoat.util.WebGoatI18N; + public class WebgoatContext { @@ -39,6 +41,8 @@ public class WebgoatContext public final static String FEEDBACK_ADDRESS = "email"; public final static String DEBUG = "debug"; + + public final static String DEFAULTLANGUAGE = "DefaultLanguage"; private String databaseConnectionString; @@ -75,6 +79,10 @@ public class WebgoatContext private String servletName; private HttpServlet servlet; + + private String defaultLanguage; + + private WebGoatI18N webgoati18n = null; public WebgoatContext(HttpServlet servlet) { @@ -100,7 +108,10 @@ public class WebgoatContext showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); isDebug = "true".equals(getParameter(servlet, DEBUG)); servletName = servlet.getServletName(); - + defaultLanguage = getParameter(servlet,DEFAULTLANGUAGE)!=null ? new String(getParameter(servlet, DEFAULTLANGUAGE)): new String("English"); + + webgoati18n = new WebGoatI18N(this); + } private String getParameter(HttpServlet servlet, String key) @@ -222,4 +233,16 @@ public class WebgoatContext return showSolution; } + public String getDefaultLanguage() { + return defaultLanguage; + } + + public void setWebgoatiI18N(WebGoatI18N webgoati18n) { + this.webgoati18n = webgoati18n; + } + + public WebGoatI18N getWebgoatI18N() { + return webgoati18n; + } + } diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/util/WebGoatI18N.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/util/WebGoatI18N.java new file mode 100644 index 000000000..9a54a50b5 --- /dev/null +++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/util/WebGoatI18N.java @@ -0,0 +1,41 @@ +package org.owasp.webgoat.util; + +import java.util.HashMap; +import java.util.Locale; +import java.util.ResourceBundle; + +import org.owasp.webgoat.session.WebgoatContext; + +public class WebGoatI18N { + + private static HashMap labels= new HashMap(); + private static String defaultLanguage ; + private static String currentLanguage; + + public WebGoatI18N(WebgoatContext context){ + Locale l = new Locale(context.getDefaultLanguage()); + WebGoatI18N.defaultLanguage=context.getDefaultLanguage(); + labels.put(context.getDefaultLanguage(),ResourceBundle.getBundle("WebGoatLabels",l)); + } + + public static void loadLanguage(String language){ + Locale l = new Locale(language); + labels.put(language, ResourceBundle.getBundle("WebGoatLabels",l)); + } + + public static void setCurrentLanguage(String language){ + WebGoatI18N.currentLanguage=language; + } + + public static String get(String strName) { + if(labels.containsKey(WebGoatI18N.currentLanguage)){ + return labels.get(WebGoatI18N.currentLanguage).getString(strName); + } + else { + return labels.get(WebGoatI18N.defaultLanguage).getString(strName); + } + } + + + +} diff --git a/webgoat/main/project/WebContent/css/webgoat.css b/webgoat/main/project/WebContent/css/webgoat.css index b2fe1f547..cdcf9c32c 100644 --- a/webgoat/main/project/WebContent/css/webgoat.css +++ b/webgoat/main/project/WebContent/css/webgoat.css @@ -192,9 +192,9 @@ html>body #navBar li {} #topRight { position:absolute; - left:715px; + left:485px; top:0px; - width:75px; + width:320px; height:23px; z-index:3; float: right; diff --git a/webgoat/main/project/WebContent/javascript/menu_system.js b/webgoat/main/project/WebContent/javascript/menu_system.js index a97a659bf..51f773030 100644 --- a/webgoat/main/project/WebContent/javascript/menu_system.js +++ b/webgoat/main/project/WebContent/javascript/menu_system.js @@ -1,3 +1,10 @@ +function changeLanguage(){ + var select=MM_findObj("language",null); + + document.location="attack?language="+select.value; +} + + function MM_findObj(n, d) { var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) { d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);} diff --git a/webgoat/main/project/WebContent/lesson_plans/AccessControlMatrix.html b/webgoat/main/project/WebContent/lesson_plans/English/AccessControlMatrix.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/AccessControlMatrix.html rename to webgoat/main/project/WebContent/lesson_plans/English/AccessControlMatrix.html diff --git a/webgoat/main/project/WebContent/lesson_plans/BackDoors.html b/webgoat/main/project/WebContent/lesson_plans/English/BackDoors.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/BackDoors.html rename to webgoat/main/project/WebContent/lesson_plans/English/BackDoors.html diff --git a/webgoat/main/project/WebContent/lesson_plans/BasicAuthentication.html b/webgoat/main/project/WebContent/lesson_plans/English/BasicAuthentication.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/BasicAuthentication.html rename to webgoat/main/project/WebContent/lesson_plans/English/BasicAuthentication.html diff --git a/webgoat/main/project/WebContent/lesson_plans/BlindSqlInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/BlindSqlInjection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/BlindSqlInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/BlindSqlInjection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/BufferOverflow.html b/webgoat/main/project/WebContent/lesson_plans/English/BufferOverflow.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/BufferOverflow.html rename to webgoat/main/project/WebContent/lesson_plans/English/BufferOverflow.html diff --git a/webgoat/main/project/WebContent/lesson_plans/CSRF.html b/webgoat/main/project/WebContent/lesson_plans/English/CSRF.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/CSRF.html rename to webgoat/main/project/WebContent/lesson_plans/English/CSRF.html diff --git a/webgoat/main/project/WebContent/lesson_plans/ChallengeScreen.html b/webgoat/main/project/WebContent/lesson_plans/English/ChallengeScreen.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ChallengeScreen.html rename to webgoat/main/project/WebContent/lesson_plans/English/ChallengeScreen.html diff --git a/webgoat/main/project/WebContent/lesson_plans/ClientSideFiltering.html b/webgoat/main/project/WebContent/lesson_plans/English/ClientSideFiltering.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ClientSideFiltering.html rename to webgoat/main/project/WebContent/lesson_plans/English/ClientSideFiltering.html diff --git a/webgoat/main/project/WebContent/lesson_plans/ClientSideValidation.html b/webgoat/main/project/WebContent/lesson_plans/English/ClientSideValidation.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ClientSideValidation.html rename to webgoat/main/project/WebContent/lesson_plans/English/ClientSideValidation.html diff --git a/webgoat/main/project/WebContent/lesson_plans/CommandInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/CommandInjection.html similarity index 94% rename from webgoat/main/project/WebContent/lesson_plans/CommandInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/CommandInjection.html index 5fbbb2d58..1db97ab80 100644 --- a/webgoat/main/project/WebContent/lesson_plans/CommandInjection.html +++ b/webgoat/main/project/WebContent/lesson_plans/English/CommandInjection.html @@ -6,6 +6,7 @@ Command  injection attacks represent a serious threat to any parameter-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack.
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This lesson will show the student several examples of parameter injection.
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries.
+Try to inject a command to the operating system.

General Goal(s):

The user should be able to execute any command on the hosting OS. \ No newline at end of file diff --git a/webgoat/main/project/WebContent/lesson_plans/ConcurrencyCart.html b/webgoat/main/project/WebContent/lesson_plans/English/ConcurrencyCart.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ConcurrencyCart.html rename to webgoat/main/project/WebContent/lesson_plans/English/ConcurrencyCart.html diff --git a/webgoat/main/project/WebContent/lesson_plans/CrossSiteScripting.html b/webgoat/main/project/WebContent/lesson_plans/English/CrossSiteScripting.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/CrossSiteScripting.html rename to webgoat/main/project/WebContent/lesson_plans/English/CrossSiteScripting.html diff --git a/webgoat/main/project/WebContent/lesson_plans/CsrfPromptByPass.html b/webgoat/main/project/WebContent/lesson_plans/English/CsrfPromptByPass.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/CsrfPromptByPass.html rename to webgoat/main/project/WebContent/lesson_plans/English/CsrfPromptByPass.html diff --git a/webgoat/main/project/WebContent/lesson_plans/CsrfTokenByPass.html b/webgoat/main/project/WebContent/lesson_plans/English/CsrfTokenByPass.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/CsrfTokenByPass.html rename to webgoat/main/project/WebContent/lesson_plans/English/CsrfTokenByPass.html diff --git a/webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html b/webgoat/main/project/WebContent/lesson_plans/English/DBCrossSiteScripting.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/DBCrossSiteScripting.html rename to webgoat/main/project/WebContent/lesson_plans/English/DBCrossSiteScripting.html diff --git a/webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/DBSQLInjection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/DBSQLInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/DBSQLInjection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/DOMInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/DOMInjection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/DOMInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/DOMInjection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/DOMXSS.html b/webgoat/main/project/WebContent/lesson_plans/English/DOMXSS.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/DOMXSS.html rename to webgoat/main/project/WebContent/lesson_plans/English/DOMXSS.html diff --git a/webgoat/main/project/WebContent/lesson_plans/DOS_Login.html b/webgoat/main/project/WebContent/lesson_plans/English/DOS_Login.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/DOS_Login.html rename to webgoat/main/project/WebContent/lesson_plans/English/DOS_Login.html diff --git a/webgoat/main/project/WebContent/lesson_plans/DangerousEval.html b/webgoat/main/project/WebContent/lesson_plans/English/DangerousEval.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/DangerousEval.html rename to webgoat/main/project/WebContent/lesson_plans/English/DangerousEval.html diff --git a/webgoat/main/project/WebContent/lesson_plans/Encoding.html b/webgoat/main/project/WebContent/lesson_plans/English/Encoding.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/Encoding.html rename to webgoat/main/project/WebContent/lesson_plans/English/Encoding.html diff --git a/webgoat/main/project/WebContent/lesson_plans/FailOpenAuthentication.html b/webgoat/main/project/WebContent/lesson_plans/English/FailOpenAuthentication.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/FailOpenAuthentication.html rename to webgoat/main/project/WebContent/lesson_plans/English/FailOpenAuthentication.html diff --git a/webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html b/webgoat/main/project/WebContent/lesson_plans/English/ForcedBrowsing.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html rename to webgoat/main/project/WebContent/lesson_plans/English/ForcedBrowsing.html diff --git a/webgoat/main/project/WebContent/lesson_plans/ForgotPassword.html b/webgoat/main/project/WebContent/lesson_plans/English/ForgotPassword.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ForgotPassword.html rename to webgoat/main/project/WebContent/lesson_plans/English/ForgotPassword.html diff --git a/webgoat/main/project/WebContent/lesson_plans/HiddenFieldTampering.html b/webgoat/main/project/WebContent/lesson_plans/English/HiddenFieldTampering.html similarity index 83% rename from webgoat/main/project/WebContent/lesson_plans/HiddenFieldTampering.html rename to webgoat/main/project/WebContent/lesson_plans/English/HiddenFieldTampering.html index 65a641fda..dff0d945e 100644 --- a/webgoat/main/project/WebContent/lesson_plans/HiddenFieldTampering.html +++ b/webgoat/main/project/WebContent/lesson_plans/English/HiddenFieldTampering.html @@ -2,8 +2,11 @@

Lesson Plan Title: How to Exploit Hidden Fields

Concept / Topic To Teach:

- + Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified
- +

General Goal(s):

The user should be able to exploit a hidden field to obtain a product at an incorrect price. + +Try to purchase the HDTV for less than the purchase price, if you have not done so already. + \ No newline at end of file diff --git a/webgoat/main/project/WebContent/lesson_plans/HowToWork.html b/webgoat/main/project/WebContent/lesson_plans/English/HowToWork.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/HowToWork.html rename to webgoat/main/project/WebContent/lesson_plans/English/HowToWork.html diff --git a/webgoat/main/project/WebContent/lesson_plans/HtmlClues.html b/webgoat/main/project/WebContent/lesson_plans/English/HtmlClues.html similarity index 74% rename from webgoat/main/project/WebContent/lesson_plans/HtmlClues.html rename to webgoat/main/project/WebContent/lesson_plans/English/HtmlClues.html index d1c2b3c1a..c0d81446c 100644 --- a/webgoat/main/project/WebContent/lesson_plans/HtmlClues.html +++ b/webgoat/main/project/WebContent/lesson_plans/English/HtmlClues.html @@ -5,7 +5,8 @@

Concept / Topic To Teach:

Developers are notorious for leaving statements like FIXME's, TODO's, Code Broken, Hack, etc... inside the source code.  Review the source code for any comments denoting  passwords, backdoors, or something doesn't work right.  + Below is an example of a forms based authentication form. Look for clues to help you log in.

General Goal(s):

- The user should be able to bypass the authentication check. +The user should be able to bypass the authentication check. diff --git a/webgoat/main/project/WebContent/lesson_plans/HttpBasics.html b/webgoat/main/project/WebContent/lesson_plans/English/HttpBasics.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/HttpBasics.html rename to webgoat/main/project/WebContent/lesson_plans/English/HttpBasics.html diff --git a/webgoat/main/project/WebContent/lesson_plans/HttpOnly.html b/webgoat/main/project/WebContent/lesson_plans/English/HttpOnly.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/HttpOnly.html rename to webgoat/main/project/WebContent/lesson_plans/English/HttpOnly.html diff --git a/webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html b/webgoat/main/project/WebContent/lesson_plans/English/HttpSplitting.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html rename to webgoat/main/project/WebContent/lesson_plans/English/HttpSplitting.html diff --git a/webgoat/main/project/WebContent/lesson_plans/InsecureLogin.html b/webgoat/main/project/WebContent/lesson_plans/English/InsecureLogin.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/InsecureLogin.html rename to webgoat/main/project/WebContent/lesson_plans/English/InsecureLogin.html diff --git a/webgoat/main/project/WebContent/lesson_plans/JSONInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/JSONInjection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/JSONInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/JSONInjection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/JavaScriptValidation.html b/webgoat/main/project/WebContent/lesson_plans/English/JavaScriptValidation.html similarity index 75% rename from webgoat/main/project/WebContent/lesson_plans/JavaScriptValidation.html rename to webgoat/main/project/WebContent/lesson_plans/English/JavaScriptValidation.html index 5ea803d95..7819de2bf 100644 --- a/webgoat/main/project/WebContent/lesson_plans/JavaScriptValidation.html +++ b/webgoat/main/project/WebContent/lesson_plans/English/JavaScriptValidation.html @@ -2,9 +2,13 @@

Lesson Plan Title: How to Bypass Client Side JavaScript Validation

Concept / Topic To Teach:

- + Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application. - +

General Goal(s):

For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting.
+ +This website performs both client and server side validation. For this exercise, your job is to break the client side validation and send the + website input that it wasn't expecting. You must break all 7 validators at the same time. + \ No newline at end of file diff --git a/webgoat/main/project/WebContent/lesson_plans/Lesson_Plan_Template.html b/webgoat/main/project/WebContent/lesson_plans/English/Lesson_Plan_Template.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/Lesson_Plan_Template.html rename to webgoat/main/project/WebContent/lesson_plans/English/Lesson_Plan_Template.html diff --git a/webgoat/main/project/WebContent/lesson_plans/LogSpoofing.html b/webgoat/main/project/WebContent/lesson_plans/English/LogSpoofing.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/LogSpoofing.html rename to webgoat/main/project/WebContent/lesson_plans/English/LogSpoofing.html diff --git a/webgoat/main/project/WebContent/lesson_plans/MultiLevelLogin1.html b/webgoat/main/project/WebContent/lesson_plans/English/MultiLevelLogin1.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/MultiLevelLogin1.html rename to webgoat/main/project/WebContent/lesson_plans/English/MultiLevelLogin1.html diff --git a/webgoat/main/project/WebContent/lesson_plans/MultiLevelLogin2.html b/webgoat/main/project/WebContent/lesson_plans/English/MultiLevelLogin2.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/MultiLevelLogin2.html rename to webgoat/main/project/WebContent/lesson_plans/English/MultiLevelLogin2.html diff --git a/webgoat/main/project/WebContent/lesson_plans/NewLesson.html b/webgoat/main/project/WebContent/lesson_plans/English/NewLesson.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/NewLesson.html rename to webgoat/main/project/WebContent/lesson_plans/English/NewLesson.html diff --git a/webgoat/main/project/WebContent/lesson_plans/PasswordStrength.html b/webgoat/main/project/WebContent/lesson_plans/English/PasswordStrength.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/PasswordStrength.html rename to webgoat/main/project/WebContent/lesson_plans/English/PasswordStrength.html diff --git a/webgoat/main/project/WebContent/lesson_plans/PathBasedAccessControl.html b/webgoat/main/project/WebContent/lesson_plans/English/PathBasedAccessControl.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/PathBasedAccessControl.html rename to webgoat/main/project/WebContent/lesson_plans/English/PathBasedAccessControl.html diff --git a/webgoat/main/project/WebContent/lesson_plans/Phishing.html b/webgoat/main/project/WebContent/lesson_plans/English/Phishing.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/Phishing.html rename to webgoat/main/project/WebContent/lesson_plans/English/Phishing.html diff --git a/webgoat/main/project/WebContent/lesson_plans/ReflectedXSS.html b/webgoat/main/project/WebContent/lesson_plans/English/ReflectedXSS.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ReflectedXSS.html rename to webgoat/main/project/WebContent/lesson_plans/English/ReflectedXSS.html diff --git a/webgoat/main/project/WebContent/lesson_plans/RemoteAdminFlaw.html b/webgoat/main/project/WebContent/lesson_plans/English/RemoteAdminFlaw.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/RemoteAdminFlaw.html rename to webgoat/main/project/WebContent/lesson_plans/English/RemoteAdminFlaw.html diff --git a/webgoat/main/project/WebContent/lesson_plans/RoleBasedAccessControl.html b/webgoat/main/project/WebContent/lesson_plans/English/RoleBasedAccessControl.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/RoleBasedAccessControl.html rename to webgoat/main/project/WebContent/lesson_plans/English/RoleBasedAccessControl.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SQLInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/SQLInjection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/SQLInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/SQLInjection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html b/webgoat/main/project/WebContent/lesson_plans/English/SameOriginPolicyProtection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html rename to webgoat/main/project/WebContent/lesson_plans/English/SameOriginPolicyProtection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SessionFixation.html b/webgoat/main/project/WebContent/lesson_plans/English/SessionFixation.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/SessionFixation.html rename to webgoat/main/project/WebContent/lesson_plans/English/SessionFixation.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html b/webgoat/main/project/WebContent/lesson_plans/English/SilentTransactions.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html rename to webgoat/main/project/WebContent/lesson_plans/English/SilentTransactions.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SoapRequest.html b/webgoat/main/project/WebContent/lesson_plans/English/SoapRequest.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/SoapRequest.html rename to webgoat/main/project/WebContent/lesson_plans/English/SoapRequest.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/SqlNumericInjection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/SqlNumericInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/SqlNumericInjection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/SqlStringInjection.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/SqlStringInjection.html rename to webgoat/main/project/WebContent/lesson_plans/English/SqlStringInjection.html diff --git a/webgoat/main/project/WebContent/lesson_plans/StoredXss.html b/webgoat/main/project/WebContent/lesson_plans/English/StoredXss.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/StoredXss.html rename to webgoat/main/project/WebContent/lesson_plans/English/StoredXss.html diff --git a/webgoat/main/project/WebContent/lesson_plans/ThreadSafetyProblem.html b/webgoat/main/project/WebContent/lesson_plans/English/ThreadSafetyProblem.html similarity index 100% rename from webgoat/main/project/WebContent/lesson_plans/ThreadSafetyProblem.html rename to webgoat/main/project/WebContent/lesson_plans/English/ThreadSafetyProblem.html diff --git a/webgoat/main/project/WebContent/lesson_plans/TomcatSetup.html b/webgoat/main/project/WebContent/lesson_plans/English/TomcatSetup.html similarity index 97% rename from webgoat/main/project/WebContent/lesson_plans/TomcatSetup.html rename to webgoat/main/project/WebContent/lesson_plans/English/TomcatSetup.html index 7bda89cd7..2f33d253c 100644 --- a/webgoat/main/project/WebContent/lesson_plans/TomcatSetup.html +++ b/webgoat/main/project/WebContent/lesson_plans/English/TomcatSetup.html @@ -1,114 +1,114 @@ - -

How To Configure Tomcat



-

Introduction

-

WebGoat comes with default configurations for Tomcat. This page will explain these configurations -and other possible configurations for Tomcat. This is just -a short description which should be enough in most cases. For more advanced tasks please -refer to the Tomcat documentation. Please note that all solutions -are written for the standard configurations on port 80. If you use another port you have -to adjust the solution to your configuration.

- -

The Standard Configurations

-

There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost. - Both are identically with the only difference - that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have - to start WebGoat as root or with sudo if you want to run it on port 80 and - 443. - As running software as root is dangerous we strongly advice to use -the port 8080 and 8443. In Windows you can -run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you -can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these -configurations is guest with password guest -

- -

Server Configurations

-

-If you are a single user of WebGoat the standard configurations should be -enough but if you want to use WebGoat in laboratory or in class there -might be the need to change the configurations. Before changing -the configurations we recommend doing a backup of the files you change. -

- -

Change Ports

-

-To change the ports open the server_80.xml which you find in tomcat/conf and change the -non-SSL port. If you want to use it on port 8079 for example: -

- -
-	<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 --> 
-	<Connector address="127.0.0.1" port="8079"...
-
-

-You can also change the SSL connector to another port of course. -In this example to port 8442: -

-
-	<!-- Define a SSL HTTP/1.1 Connector on port 8442 --> 
-	<Connector address="127.0.0.1" port="8442"... 
+
+
How To Configure Tomcat



+
Introduction

+
WebGoat comes with default configurations for Tomcat. This page will explain these configurations
+and other possible configurations for Tomcat. This is just 
+a short description which should be enough in most cases. For more advanced tasks please 
+refer to the Tomcat documentation. Please note that all solutions
+are written for the standard configurations on port 80. If you use another port you have 
+to adjust the solution to your configuration.

+
+
The Standard Configurations

+
There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
+	Both are identically with the only difference
+	that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have
+	to start WebGoat as root or with sudo if you want to run it on port 80 and
+	443.
+	As running software as root is dangerous we strongly advice to use
+the port 8080 and 8443. In Windows you can
+run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you
+can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these
+configurations is guest with password guest
+

+
+
Server Configurations

+

+If you are a single user of WebGoat the standard configurations should be
+enough but if you want to use WebGoat in laboratory or in class there
+might be the need to change the configurations. Before changing
+the configurations we recommend doing a backup of the files you change.
+

+
+
Change Ports

+

+To change the ports open the server_80.xml which you find in tomcat/conf and change the 
+non-SSL port. If you want to use it on port 8079 for example:
+

+
+
+	<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 --> 
+	<Connector address="127.0.0.1" port="8079"...
 

-

-
-
Make WebGoat Reachable From Another Client

-
THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
-	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN 
-SAFE NETWORKS!

-
By its default configurations WebGoat is only
-reachable within the localhost. In a laboratory or a class
-there is maybe the need of having a server and a few clients. 
-In this case it is possible to make WebGoat reachable.
-

-
The reason why WebGoat is only reachable within the localhost is
-the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set
-to 127.0.0.1. The applications only listens on the port of this address for
-incoming connections if it is set. If you remove this parameter the server listens on all IPs on the
-specific port.

-
-
Permit Only Certain Clients Connection

-

-If you have made WebGoat reachable it is reachable for
-all clients. If you want to make it reachable only for certain clients specified
-by there IP you can archive this by using a 'Remote Address Filter'.
-The filter can be set in a whitebox or blackbox approach. Here is
-only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml:
-

-
-	<Valve className="org.apache.catalina.valves.RemoteAddrValve"
-	allow="127.0.0.1,ip1,ip2"/>
-

-
In this case only localhost, ip1 and ip2 are permitted to connect.

-
-
WebGoat Default Users and Roles for Tomcat

-

-WebGoat requires the following users and roles to be configured in order for the application to run.
-

-  
-  >role rolename="webgoat_basic"/<
-  >role rolename="webgoat_admin"/<
-  >role rolename="webgoat_user"/<
-  >user username="webgoat" password="webgoat" roles="webgoat_admin"/<
-  >user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/<
-  >user username="guest" password="guest" roles="webgoat_user"/<
-  

-

-
Adding Users

-

-Usually using WebGoat you just use the user guest with the password guest.
-But maybe in laboratory you have made a setup with one server and a lot of
-clients. In this case you might want to have a user for every client
- and you have to alter tomcat-users.xml 
-in tomcat/conf as the users are stored there. We recommend not to use real passwords 
-as the passwords are stored in plain text in this file!
-

-
Add User

-

-Adding a user is straight forward. You can use the guest entry as an example. The added
-users should have the same role as the guest user. Add lines like this to the file:
-

-
-	<user name="student1" password="password1" roles="webgoat_user"/>
-	<user name="student2" password="password2" roles="webgoat_user"/>
-	...
-

-
+

+You can also change the SSL connector to another port of course.
+In this example to port 8442:
+

+
+	<!-- Define a SSL HTTP/1.1 Connector on port 8442 --> 
+	<Connector address="127.0.0.1" port="8442"... 
+

+

+
+
Make WebGoat Reachable From Another Client

+
THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
+	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN 
+SAFE NETWORKS!

+
By its default configurations WebGoat is only
+reachable within the localhost. In a laboratory or a class
+there is maybe the need of having a server and a few clients. 
+In this case it is possible to make WebGoat reachable.
+

+
The reason why WebGoat is only reachable within the localhost is
+the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set
+to 127.0.0.1. The applications only listens on the port of this address for
+incoming connections if it is set. If you remove this parameter the server listens on all IPs on the
+specific port.

+
+
Permit Only Certain Clients Connection

+

+If you have made WebGoat reachable it is reachable for
+all clients. If you want to make it reachable only for certain clients specified
+by there IP you can archive this by using a 'Remote Address Filter'.
+The filter can be set in a whitebox or blackbox approach. Here is
+only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml:
+

+
+	<Valve className="org.apache.catalina.valves.RemoteAddrValve"
+	allow="127.0.0.1,ip1,ip2"/>
+

+
In this case only localhost, ip1 and ip2 are permitted to connect.

+
+
WebGoat Default Users and Roles for Tomcat

+

+WebGoat requires the following users and roles to be configured in order for the application to run.
+

+  
+  >role rolename="webgoat_basic"/<
+  >role rolename="webgoat_admin"/<
+  >role rolename="webgoat_user"/<
+  >user username="webgoat" password="webgoat" roles="webgoat_admin"/<
+  >user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/<
+  >user username="guest" password="guest" roles="webgoat_user"/<
+  

+

+
Adding Users

+

+Usually using WebGoat you just use the user guest with the password guest.
+But maybe in laboratory you have made a setup with one server and a lot of
+clients. In this case you might want to have a user for every client
+ and you have to alter tomcat-users.xml 
+in tomcat/conf as the users are stored there. We recommend not to use real passwords 
+as the passwords are stored in plain text in this file!
+

+
Add User

+

+Adding a user is straight forward. You can use the guest entry as an example. The added
+users should have the same role as the guest user. Add lines like this to the file:
+

+
+	<user name="student1" password="password1" roles="webgoat_user"/>
+	<user name="student2" password="password2" roles="webgoat_user"/>
+	...
+

+
 
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/TraceXSS.html b/webgoat/main/project/WebContent/lesson_plans/English/TraceXSS.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/TraceXSS.html
rename to webgoat/main/project/WebContent/lesson_plans/English/TraceXSS.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/UncheckedEmail.html b/webgoat/main/project/WebContent/lesson_plans/English/UncheckedEmail.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/UncheckedEmail.html
rename to webgoat/main/project/WebContent/lesson_plans/English/UncheckedEmail.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/UsefulTools.html b/webgoat/main/project/WebContent/lesson_plans/English/UsefulTools.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/UsefulTools.html
rename to webgoat/main/project/WebContent/lesson_plans/English/UsefulTools.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/WSDLScanning.html b/webgoat/main/project/WebContent/lesson_plans/English/WSDLScanning.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/WSDLScanning.html
rename to webgoat/main/project/WebContent/lesson_plans/English/WSDLScanning.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html b/webgoat/main/project/WebContent/lesson_plans/English/WeakAuthenticationCookie.html
similarity index 80%
rename from webgoat/main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html
rename to webgoat/main/project/WebContent/lesson_plans/English/WeakAuthenticationCookie.html
index 9dad07df8..9c9b86c8a 100644
--- a/webgoat/main/project/WebContent/lesson_plans/WeakAuthenticationCookie.html
+++ b/webgoat/main/project/WebContent/lesson_plans/English/WeakAuthenticationCookie.html
@@ -3,8 +3,10 @@
  
  
 
Concept / Topic To Teach: 

-
+
 Many applications will automatically log a user into their site if the right authentication cookie is specified.   Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained.  Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability.  Some times the cookies maybe intercepted using Cross site scripting.  This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.

-
 
General Goal(s): 

+
  The user should be able to bypass the authentication check.
+Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice.
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/WeakSessionID.html b/webgoat/main/project/WebContent/lesson_plans/English/WeakSessionID.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/WeakSessionID.html
rename to webgoat/main/project/WebContent/lesson_plans/English/WeakSessionID.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/WelcomeScreeen.html b/webgoat/main/project/WebContent/lesson_plans/English/WelcomeScreeen.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/WelcomeScreeen.html
rename to webgoat/main/project/WebContent/lesson_plans/English/WelcomeScreeen.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/WsSAXInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/WsSAXInjection.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/WsSAXInjection.html
rename to webgoat/main/project/WebContent/lesson_plans/English/WsSAXInjection.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/WsSqlInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/WsSqlInjection.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/WsSqlInjection.html
rename to webgoat/main/project/WebContent/lesson_plans/English/WsSqlInjection.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/XMLInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/XMLInjection.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/XMLInjection.html
rename to webgoat/main/project/WebContent/lesson_plans/English/XMLInjection.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/XPATHInjection.html b/webgoat/main/project/WebContent/lesson_plans/English/XPATHInjection.html
similarity index 100%
rename from webgoat/main/project/WebContent/lesson_plans/XPATHInjection.html
rename to webgoat/main/project/WebContent/lesson_plans/English/XPATHInjection.html
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/BasicAuthentication.html b/webgoat/main/project/WebContent/lesson_plans/German/BasicAuthentication.html
new file mode 100644
index 000000000..65490ef0c
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/BasicAuthentication.html
@@ -0,0 +1,15 @@
+
 
+
Lehrplan: Basic Authentication 

+

+
Lehrinhalt:

+
+"Basic Authentication" wird benutzt um Server-seitige Resource zu schützen. Wird eine Anfrage an eine geschützte Resource gestellt, so sendet der Webserver ein "401 authentication request" mit der Antwort auf diese Anfrage.
+Dann fragt, auf der Client Seite, der Browser den Benutzer mittels einer Dialogbox nach Benutzername und Passwort für diese Resource.
+Der Browser enkodiert Benutzername und Passwort mit base64 und sendet diese Zugangsdaten zum Webserver.
+Daraufhin validiert der Webserver Benutzername und Passwort und gibt als Antwort die angeforderte Resource zurück falls die übermittelten Zugangsdaten korrekt sind.
+Die Zugangsdaten werden vom Browser bei jedem weiteren Zugriff auf geschützte Resourcen mitgesendet ohne dass der Benutzer
+sie ein weiteres Mal eingeben muss.
  
+    

+
Grundsätzliche(s) Ziel(e):

+Das Ziel dieser Lektion ist es "Basic Authentication" zu verstehen und die folgenden Fragen zu beantworten. 
+
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/CommandInjection.html b/webgoat/main/project/WebContent/lesson_plans/German/CommandInjection.html
new file mode 100644
index 000000000..a8de365cb
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/CommandInjection.html
@@ -0,0 +1,16 @@
+
 
+
Lehrplan: Einschleusen von Programmcode

+ 

+
Konzept:

+
+Das Einschleusen von Programmcode stellt eine ernst zu nehmende Bedrohung für dynamische Webseiten dar. Entsprechende Angriffe
+sind leicht zu lernen und der verursachte Schaden ist schwer bzw. entspricht der Kompromittierung des kompletten Systems.
+Trotz dieses Gefahrenpotentials ist eine unglaubliche Anzahl von Systemen im Internet für diese Form des Angriffs verwundbar.
+Dieser Angriff ist zwar leicht durchzuführen, allerdings ist er auch mit ein wenig gesundem Menschenverstand und Vorausdenken 
+leicht zu verhindern. Die anerkannte Vorgehensweise zur Verhinderung dieser Angriffstypen
+besteht darin alle Eingabedaten zu säubern, insbesondere die Daten die in Betriebssystembefehlen,
+Skripten und Datenbankabfragen eingebaut werden.
+
Grundsätzliche(s) Ziel(e):

+
+Schleusen Sie einen Befehl in das darunterliegende Betriebssystem ein.
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/HiddenFieldTampering.html b/webgoat/main/project/WebContent/lesson_plans/German/HiddenFieldTampering.html
new file mode 100644
index 000000000..c4606ac75
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/HiddenFieldTampering.html
@@ -0,0 +1,14 @@
+

+
Lehrplan: Versteckte Felder ausnutzen 

+

+
Konzept: 

+
+Entwickler benutzen versteckte Formularfelder zur Besucherverfolgung, für den Login, für Preisinformationen und andere
+Informationen. Dies ist ein sehr einfacher und bequemer Mechnismus für Entwickler, allerdings werden die Werte
+diese Felder nur selten geprüft bevor sie benutzt werden. In dieser Lektion lernt man wie man versteckte Felder
+zu seinem Vorteil manipulieren kann.
+
+ 

+
+
Grundsätzliche(s) Ziel(e): 

+Nutzen Sie ein verstecktes Formularfeld aus, um den HD Fernseher zu einem falschen Preis zu kaufen.
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/HtmlClues.html b/webgoat/main/project/WebContent/lesson_plans/German/HtmlClues.html
new file mode 100644
index 000000000..70d63e5ee
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/HtmlClues.html
@@ -0,0 +1,13 @@
+
 
+
Lehrplan: Nützliche Hinweise in HTML entdecken. 

+ 

+ 
+
Konzept: 

+
+ Entwickler lassen oftmals Kommentare wie FIXME's, TODO's, Code Broken, Hack usw. im Quellcode.
+ Durchsuchen Sie den Quellcode nach allem was für Sie nach Passwörtern, Hintertüren oder anderen Unregelmäßigkeiten aussieht.
+
+
+

+
Grundsätzliche(s) Ziel(e): 

+Sie suchen und finden Hinweise im Quellcode die es Ihnen erlauben sich anzumelden.
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/HttpBasics.html b/webgoat/main/project/WebContent/lesson_plans/German/HttpBasics.html
new file mode 100644
index 000000000..995912eeb
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/HttpBasics.html
@@ -0,0 +1,29 @@
+
 
+
Lehrplan: Http Basics 

+ 

+ 
+
Lehrinhalt: 

+ Diese Lektion stellt die Verständnis-Grundlagen für den Datentransport zwischen Browser und Webapplikation dar.

+
 
+

+So funktioniert HTTP:
+

+Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem Körper.
+Der Client initiiert eine Transaktion wie folgt:

+

+ Der Client kontaktiert den Server und sendet eine Dokumentenanfrage

+

+  

+
    GET /index.html?param=value HTTP/1.0

+ Als nächstes sendet der Client optionale Kopfzeilen (Header) um den Server über die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.

+ 

+
    User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*

+Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
+

+
Grundsätzliche(s) Ziel(e): 

+
+Geben Sie Ihren Namen in das Eingabefeld ein und drücken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zurückschicken. Dies stellt eine vollständige HTTP Transaktion dar!
+


+Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Knöpfe für Hinweise (Hints), für das Anzeigen von Parametern(Parameters) oder Cookies und für das Anzeigen von Java-Quellcode ausprobiert werden.
+Außerdem, können Sie hier WebScarab gut ausprobieren. 
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/JavaScriptValidation.html b/webgoat/main/project/WebContent/lesson_plans/German/JavaScriptValidation.html
new file mode 100644
index 000000000..f278bc9d9
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/JavaScriptValidation.html
@@ -0,0 +1,19 @@
+

+
Lehrplan: Client-seitige JavaScript Validierung umgehen

+

+
Konzept: 

+
+Client-seitige Validierung sollte nicht als eine sichere Maßnahme zur Validierung von Parametern angesehen werden.
+Diese Art der Validierung kann höchstens den Server entlasten und verhindern das normale Benutzer Eingabedaten in
+einem falschen Format absenden. Angreifer hingegen, können diesen Mechanismus auf verschiedene Arten umgehen. Jede
+Client-seitige Validierung sollte auf der Serverseite wiederholt werden. Dies verhindert, dass unsichere Parameter
+in der Applikation benutzt werden.
+
+

+
Grundsätzliche(s) Ziel(e): 

+
+Das untenstehende Formular verlangt von Ihnen verschiedene Regeln beim Ausfüllen einzuhalten. Dies wird Client-seitig
+überprüft. Versuchen Sie diese
+Regeln zu brechen und senden Sie Daten an die Webseite die die Webseite nicht erwartet!  Sie müssen alle 7 Regeln
+gleichzeitig brechen! 
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/LogSpoofing.html b/webgoat/main/project/WebContent/lesson_plans/German/LogSpoofing.html
new file mode 100644
index 000000000..c5bbff3b0
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/LogSpoofing.html
@@ -0,0 +1,17 @@
+
 
+
Lehrplan: Fälschen von Einträgen in Log Dateien (Log Spoofing) 

+ 

+ 
+
Konzept: 

+

+Log-Einträge in Log-Dateien müssen nicht immer von tatsächlichen Ereignissen stammen. Ein Angreifer kann durch Einschleusen
+bestimmter Einträge das Eintreten bestimmter Ereignisse vortäuschen und dadurch den Administrator zu unnötigen bzw. voreiligen 
+Handlungen verleiten bzw. ihn einfach nur verwirren.
+

+
+
Grundsätzliche(s) Ziel(e): 

+
+* Der graue Bereich steht für das was tatsächlich in der Log-Datei des Webservers erscheint.

+* Ihr Ziel ist es so aussehen zu lassen, als hätte sich der Benutzer "admin" erfolgreich eingeloggt.

+* Verbessern Sie Ihren Angriff, indem Sie ein Skript (Javascript) in das Log schreiben.
+
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/PathBasedAccessControl.html b/webgoat/main/project/WebContent/lesson_plans/German/PathBasedAccessControl.html
new file mode 100644
index 000000000..c7afce017
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/PathBasedAccessControl.html
@@ -0,0 +1,11 @@
+

+
Lehrplan: Umgehen eines Pfad-basierten Zugangskontrollschemas

+

+
Konzept: 

+
+In einem Pfad-basierten Zugangangskontrollschemas (path based access control scheme), kann ein Angreifer den Pfad "bewandern" indem
+er relative Pfadangaben übergibt. Dadurch kann der Angreifer auf Dateien zugreifen, die für niemanden zugänglich sind, bzw. zu denen
+der Zugang bei direkter Anfrage ansonsten abgelehnt würde.  
+
+
Grundsätzliche(s) Ziel(e): 

+Sie sollten in der Lage sein auf eine Datei zuzugreifen die sich nicht im aufgelisteten Verzeichnis befindet.
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/ReflectedXSS.html b/webgoat/main/project/WebContent/lesson_plans/German/ReflectedXSS.html
new file mode 100644
index 000000000..60f5e0e80
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/ReflectedXSS.html
@@ -0,0 +1,19 @@
+

+
Lehrplan: Cross Site Scripting (XSS)

+

+
Konzept: 

+
+Jegliche Eingabedaten sollten auf der Serverseite überprüft werden.
+XSS passiert wenn nicht geprüfte Benutereingaben in eine HTTP Response eingebaut werden.
+Bei einem reflektierten XSS Angriff, kann ein Angreifer eine URL erzeugen die ein Angriffsskript enthält und kann diese
+URL auf einer Webseite hinterlegen, sie per Email verschicken oder ein Opfer auf eine andere Weise dazu bringen die
+URL zu besuchen.
+
+ 
+
+
General Goal(s): 

+
+Ihre Aufgabe ist es, sich ein Stück Javascript zu überlegen das Sie in diese Seite einbauen können.
+Dann versuchen Sie die Seite dazu zu bringen, Ihnen dieses Skript wieder auszulieferen (es zu reflektieren)
+so dass das Skript in Ihrem Browser ausgeführt wird. 
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/RemoteAdminFlaw.html b/webgoat/main/project/WebContent/lesson_plans/German/RemoteAdminFlaw.html
new file mode 100644
index 000000000..dbaaeb3c3
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/RemoteAdminFlaw.html
@@ -0,0 +1,16 @@
+

+
Lehrplan: Zugang zu Web-Resourcen erzwingen

+

+
Konzept:: 

+Applikationen haben oftmals eine Administrationsschnittstelle, das priviligierten Benutzern Zugang zu Funktionalität ermöglicht die
+für normale Benutzer nicht sichtbar ist. Der Applikationsserver selbst hat auch oft noch eine seperate Administrationsschnittstelle.
+
+
Grundsätzliche(s) Ziel(e): 
+
+Versuchen Sie auf die Administrationsschnittstelle von WebGoat zuzugreifen. Sie können auch versuchen auf die Administrationsschnittstelle
+von Tomcat (der Applikationsserver) zuzugreifen. Die Tomcat Schnittstelle kann über die URL /admin erreicht werden, zählt aber nicht
+für das Bestehen dieser Lektion. 
+Wenn Sie Zugriff auf Funktionalität der Administrationsschnittstelle erlangt haben, dann kommen Sie hierher zurück um zu sehen ob Sie
+die Lektion abgeschlossen haben.
+
+

diff --git a/webgoat/main/project/WebContent/lesson_plans/German/SqlNumericInjection.html b/webgoat/main/project/WebContent/lesson_plans/German/SqlNumericInjection.html
new file mode 100644
index 000000000..ad9e7cc41
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/SqlNumericInjection.html
@@ -0,0 +1,18 @@
+
 
+
Lehrplan: Durchführung von Numeric SQL Injection 

+ 

+ 
+
Konzept: 

+SQL Injection Angriffe stellen eine ernstzunehmende Bedrohung für alle Datenbank-getriebenen Webseiten dar.
+Entsprechende Angriffe sind leicht zu lernen und der verursachte Schaden ist schwer bzw. entspricht der 
+Kompromittierung des kompletten Systems.
+Trotz dieses Gefahrenpotentials ist eine unglaubliche Anzahl von Systemen im Internet für diese Form des Angriffs verwundbar.
+Dieser Angriff ist zwar leicht durchzuführen, allerdings ist er auch mit ein wenig gesundem Menschenverstand und Vorausdenken 
+leicht zu verhindern. Die anerkannte Vorgehensweise zur Verhinderung dieser Angriffstypen
+besteht darin alle Eingabedaten zu säubern, insbesondere die Daten die in Betriebssystembefehlen,
+Skripten und Datenbankabfragen eingebaut werden.
+
Grundsätzliche(s) Ziel(e): 

+
+Das untenstehende Formular ermöglicht es dem Benutzer Wetterdaten zu betrachten. Versuchen Sie einen SQL String einzuschleusen, der
+als Resultat alle Wetterdaten anzeigt.
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/SqlStringInjection.html b/webgoat/main/project/WebContent/lesson_plans/German/SqlStringInjection.html
new file mode 100644
index 000000000..0cd360db7
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/SqlStringInjection.html
@@ -0,0 +1,20 @@
+
 
+
Lehrplan: Durchführung von String SQL Injection

+ 

+ 
+
Konzept: 

+
+SQL Injection Angriffe stellen eine ernstzunehmende Bedrohung für alle Datenbank-getriebenen Webseiten dar.
+Entsprechende Angriffe sind leicht zu lernen und der verursachte Schaden ist schwer bzw. entspricht der 
+Kompromittierung des kompletten Systems.
+Trotz dieses Gefahrenpotentials ist eine unglaubliche Anzahl von Systemen im Internet für diese Form des Angriffs verwundbar.
+Dieser Angriff ist zwar leicht durchzuführen, allerdings ist er auch mit ein wenig gesundem Menschenverstand und Vorausdenken 
+leicht zu verhindern. Die anerkannte Vorgehensweise zur Verhinderung dieser Angriffstypen
+besteht darin alle Eingabedaten zu säubern, insbesondere die Daten die in Betriebssystembefehlen,
+Skripten und Datenbankabfragen eingebaut werden.
+
Grundsätzliche(s) Ziel(e): 

+
+Das untenstehende Formular erlaubt es Benutzern ihre Kreditkartennummern anzuzeigen. Das können Sie 
+exemplarisch mit dem Benutzernamen "Smith" ausprobieren. 
+Versuchen Sie einen SQL String einzuschleusen, der als Resultat alle Kreditkartennummern anzeigt. 
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/StoredXss.html b/webgoat/main/project/WebContent/lesson_plans/German/StoredXss.html
new file mode 100644
index 000000000..74463c949
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/StoredXss.html
@@ -0,0 +1,16 @@
+

+
Lehrplan: Durchführen von Stored Cross Site Scripting (XSS) 

+

+
Konzept: 

+
+Man sollte Eingabedaten immer säubern, besonders diese die später als parameter für Betriebssystembefehle, Skripte
+und Datenbankabfragen benutzt werden. Essentiell ist das für Inhalt der irgendwo in der Applikation permanent gespeichert
+wird. Benutzer sollten nicht in der Lage sein eigene Inhalte zu hinterlassen, durch die andere Nutzer ungewünschte
+Seiten oder Inhalte nachladen wenn der Inhalt betrachtet wird.   
+ 
+
+
Grundsätzliche(s) Ziel(e): 

+
+Hinterlassen Sie Inhalt der den Browser eines anderen Benutzers dazu bringt eine unerwünschte
+Seite bzw. Inhalt anzuzeigen. 
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/lesson_plans/German/WeakAuthenticationCookie.html b/webgoat/main/project/WebContent/lesson_plans/German/WeakAuthenticationCookie.html
new file mode 100644
index 000000000..5475df32c
--- /dev/null
+++ b/webgoat/main/project/WebContent/lesson_plans/German/WeakAuthenticationCookie.html
@@ -0,0 +1,22 @@
+
 
+
Lehrplan: Einen Authentisierungs Cookie fa¨lschen

+ 

+ 
+
Lehrinhalt: 

+
+Viele Webapplikationen erlauben es einem Benutzer sofort eingeloggt zu sein, sobald der Benutzer den richtigen Authentisierungs Cookie übergibt.
+Manchmal kann der richtige Wert dieses Cookies geraten werden, wenn der Algorithmus zur Generierung dieser Cookies bekannt ist.
+Der Cookie kann auch von dem Computer des Benutzers gestohlen werden indem andere Schwachstellen in seinem System ausgenutzt werden.
+Mittels Cross Site Scripting (XSS) kann der Cookie auch abgefangen werden.
+Diese Übung soll Sie auf das Thema der Authentisierungs Cookies aufmerksam machen und gibt Ihnen
+die Möglichkeit die Authentisierungsmethode dieser Lektion zu überwinden.  
+  
+
+
+
Grundsätzliche(s) Ziel(e): 

+
+ Es ist Ihre Aufgabe die Authentisierung zu umgehen. Melden Sie sich mit dem Benutzernamen "webgoat" und dem Passwort "webgoat" an 
+ und schauen Sie was passiert. Sie können auch versuchen Sich mit aspect/aspect anzumelden. Wenn Sie den Authentisierungs Cookie verstehen,
+ versuchen Sie Ihre Identität zu "alice" zu wechseln. 
+ 
+
\ No newline at end of file
diff --git a/webgoat/main/project/WebContent/main.jsp b/webgoat/main/project/WebContent/main.jsp
index 451258783..6d59a5b2f 100644
--- a/webgoat/main/project/WebContent/main.jsp
+++ b/webgoat/main/project/WebContent/main.jsp
@@ -1,5 +1,5 @@
 <%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
-	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, java.util.*" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*" 
 	errorPage=""  %>
 <%
 Course course = ((Course)session.getAttribute("course"));
@@ -107,7 +107,7 @@ StringBuffer buildList = new StringBuffer();
 					}
 				}
 				%>
-<%
+			<%
 			}
 			%>
 	  		
@@ -115,7 +115,21 @@ StringBuffer buildList = new StringBuffer();
 			}%>
 		

 		

-	  		
LogOut  Help

+	  		

+	  		
+	  		

+	  		Choose another language:
+	  		
+	  		 
+	  		
LogOut  Help

 		

 			
<%=currentLesson.getTitle()%>

 			

@@ -179,8 +193,8 @@ StringBuffer buildList = new StringBuffer();
 			    {
 			    	%>
 			    	
 	    			<%
 	    			}