Introduction Sectin altered
git-svn-id: http://webgoat.googlecode.com/svn/trunk@330 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel
parent
bb327cc3c8
commit
ff64cf84c0
@ -1,31 +1,44 @@
|
||||
<div align="Center">
|
||||
<p><b>Lesson Plan Title:</b> How to Work with WebGoat </p>
|
||||
</div>
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b> </p>
|
||||
<!-- Start Instructions -->
|
||||
<h1>How To Work With WebGoat</h1>
|
||||
<p>
|
||||
Welcome to a short introduction of WebGoat.<br>
|
||||
Here you will learn how to use WebGoat and additional tools for the lessons.<br><br>
|
||||
<b>The interface of WebGoat</b><br><br>
|
||||
</p>
|
||||
<h1>Environment Information</h1>
|
||||
<p>
|
||||
WebGoat uses Apache Tomcat as server. It is setup to run on localhost. This
|
||||
configuration is for single user. If you want to use WebGoat in a laboratory or in
|
||||
class you might need to change the setup. Please refer to the Tomcat Configuration
|
||||
in the Introduction section.</p>
|
||||
|
||||
<h2>The Interface Of WebGoat</h2>
|
||||
<p>
|
||||
<img src="/WebGoat/images/introduction/interface.jpg"><br><br>
|
||||
1. Here you see all Categories of Lessons in WebGoat. Click on the Categories to see all Lessons in it.<br>
|
||||
2. This link will give you the technical background to solve the lesson.<br>
|
||||
3. Do you need some help to find the solution? Here you will find useful hints.<br>
|
||||
4. Here you will find a complete solution of the selected lesson.<br>
|
||||
5. If you want to restart a lesson you can use this link.<br><br><br>
|
||||
<b>Solve the Lesson</b><br><br>
|
||||
Always read first the lessons plan. Then try to solve the lesson and if necessary, use the hints. If you cannot solve the lesson using the hints, you may watch the solution. Here every step is explained.<br><br><br>
|
||||
<b>Read and edit Parameters</b><br><br>
|
||||
To read and edit Parameters you need a proxy to intercept the HTTP request. Here we use WebScarab. More informations to WebScarab you will get in the Chapter "Useful Tools".
|
||||
5. If you want to restart a lesson you can use this link.</p>
|
||||
<h2>Solve The Lesson</h2>
|
||||
<p>
|
||||
Always read first the lessons plan. Then try to solve the lesson and if necessary,
|
||||
use the hints. If you cannot solve the lesson using the hints, you may watch the
|
||||
solution. Here every step is explained.</p>
|
||||
<h2>Read And Edit Parameters</h2>
|
||||
<p>
|
||||
To read and edit Parameters you need a proxy to intercept the HTTP request.
|
||||
Here we use WebScarab. More informations to WebScarab you will get in the
|
||||
Chapter "Useful Tools".
|
||||
After installing WebScarab and making a proxy on localhost we can start.<br><br>
|
||||
<img src="/WebGoat/images/introduction/HowToUse_1.jpg"><br><br>
|
||||
We have to select "intercept request" in the tab "Intercept". If we send a new HTTP request now, we get a new WebScarab window.<br><br>
|
||||
<img src="/WebGoat/images/introduction/HowToUse_2.jpg"><br><br>
|
||||
Here we can read and edit the sent parameter. After "Accept changes" the request will be sent to the server.
|
||||
<br><br><br>
|
||||
<b>Read and edit Cookies</b><br><br>
|
||||
</p>
|
||||
<h2>Read And Edit Cookies</h2>
|
||||
<p>
|
||||
Often it is not only necessary to change the value of parameters but to change the value of cookies. We use again WebScarab and intercept the request as explained in the last topic.<br><br>
|
||||
<img src="/WebGoat/images/introduction/HowToUse_3.jpg"><br><br>
|
||||
We again get the new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them.
|
||||
<br><br><br>
|
||||
</p>
|
||||
<!-- Stop Instructions -->
|
||||
|
||||
@ -1,18 +1,13 @@
|
||||
<div align="Center">
|
||||
<p><b>Lesson Plan Title:</b> How to Add a New WebGoat Lesson </p>
|
||||
</div>
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b> </p>
|
||||
|
||||
<!-- Start Instructions -->
|
||||
<h1>Create A WebGoat Lesson</h1>
|
||||
<p>
|
||||
Adding lessons to WebGoat is very easy. If you have an idea that would be suitable<br>
|
||||
for a new lesson, follow these few simple instructions to implement it:<br><br>
|
||||
* Download the source code from <a href="http://code.google.com/p/webgoat/">here.</a><br><br>
|
||||
* Setup framework: follow the simple instructions in "HOW TO create the WebGoat workspace.txt" that comes with the project.<br><br>
|
||||
* You need to add two files for each new lesson: <br>
|
||||
- YourLesson.java to org.owasp.webgoat.lessons<br>
|
||||
- YourLesson.html to WebContent/lesson_plans<br><br>
|
||||
- YourLesson.html to WebContent/lesson_plans</p>
|
||||
<!-- Stop Instructions -->
|
||||
<br>
|
||||
|
||||
<p><b>General Goal(s):</b> </p>
|
||||
The user should be able to learn how to add a new lesson.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<!-- Start Instructions -->
|
||||
<h1>How To Setup Tomcat</h1><br><br>
|
||||
<h1>How To Configure Tomcat</h1><br><br>
|
||||
<h2>Introduction</h2>
|
||||
<p>WebGoat comes with a sane default setup for Tomcat. This page will explain the setup
|
||||
and which further possibilites you have to setup Tomcat. This is just
|
||||
@ -8,7 +8,7 @@ refer to the Tomcat documentation. Please note that all solutions
|
||||
are written for the standard setup on port 80. If you use another configuration you have
|
||||
to ajust the solution to your configuration.</p>
|
||||
|
||||
<h2>The standard Setup</h2>
|
||||
<h2>The Standard Configuration</h2>
|
||||
<p>There are two standard Tomcat setups. In this setups WebGoat is only reachable from within
|
||||
the localhost.
|
||||
Both are identically with the only difference
|
||||
@ -47,12 +47,13 @@ In this example to port 8442:
|
||||
<pre>
|
||||
<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->
|
||||
<Connector address="127.0.0.1" port="8442"...
|
||||
</pre>
|
||||
</pre>
|
||||
<br>
|
||||
|
||||
<h3>Make WebGoat Reachable From Another Client</h3>
|
||||
<p><b>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
|
||||
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
|
||||
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
|
||||
SAVE NETWORKS!</b></p>
|
||||
SAVE NETWORKS!</p>
|
||||
<p>By its default configuration WebGoat is only
|
||||
reachable within the localhost. In a laboratory or a class
|
||||
there is maybe the need of having a server and a few clients.
|
||||
|
||||
@ -1,16 +1,21 @@
|
||||
<div align="Center">
|
||||
<p><b>Lesson Plan Title:</b> Useful Toolst </p>
|
||||
</div>
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b> </p>
|
||||
|
||||
<!-- Start Instructions -->
|
||||
Here we want to present you some useful tools. You will need WebScarab to solve most of the lessons. <br><br>
|
||||
<b>WebScarab:</b><br><br>
|
||||
As WebGoat, WebScarab is a part of OWASP. WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. Because WebScarab operates as an intercepting proxy, we can review and modify requests and responses.<br><br>
|
||||
<h1>Useful Tools</h1>
|
||||
<p>
|
||||
Here we want to present you some useful tools. You will need WebScarab
|
||||
to solve most of the lessons. </p>
|
||||
<h2>WebScarab:</h2>
|
||||
<p>
|
||||
As WebGoat, WebScarab is a part of OWASP.
|
||||
WebScarab is a framework for analysing applications that
|
||||
communicate using the HTTP and HTTPS protocols. Because WebScarab
|
||||
operates as an intercepting proxy, we can review and modify requests
|
||||
and responses.<br><br>
|
||||
<img src="/WebGoat/images/introduction/webscarab.jpg"><br><br>
|
||||
Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
|
||||
<br><br>
|
||||
<b>Firebug:</b><br><br>
|
||||
</p>
|
||||
<h2>Firebug:</h2>
|
||||
<p>
|
||||
Firebug is an add-on for the Firefox browser. We can use it to inspect, edit and monitor CSS, HTML and JavaScript.<br><br>
|
||||
<img src="/WebGoat/images/introduction/firebug.jpg"><br><br>
|
||||
Webpage:<a href="http://www.getfirebug.com" target="_blank">http://www.getfirebug.com</a>
|
||||
@ -19,10 +24,12 @@ Webpage:<a href="http://www.getfirebug.com" target="_blank">http://www.getfirebu
|
||||
IEWatch is a tool to analyse HTTP and HTML for users of the Internet Explorer.<br><br>
|
||||
<img src="/WebGoat/images/introduction/iewatch.jpg"><br><br>
|
||||
Webpage:<a href="http://www.iewatch.com" target="_blank">http://www.iewatch.com</a>
|
||||
<br><br>
|
||||
<b>Scanner:</b><br><br>
|
||||
</p>
|
||||
<h2>Scanner:</h2>
|
||||
<p>
|
||||
There exist a lot of vulnerability scanner for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Here the links to two open source scanner. <br><br>
|
||||
Nessus:<a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a><br>
|
||||
Paros:<a href="http://www.parosproxy.org" target="_blank">http://www.parosproxy.org</a><br>
|
||||
</p>
|
||||
<!-- Stop Instructions -->
|
||||
<br>
|
||||
|
||||
@ -565,28 +565,7 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
|
||||
|
||||
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Add a Proxy on localhost in the settings of your browser. Then you can start WebScarab .We have to select "intercept request" in the tab "Intercept".<o:p></o:p></span></p>
|
||||
|
||||
<p class=MsoNormal style='page-break-after:avoid'><span style='font-size:8.0pt;
|
||||
font-family:"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shapetype
|
||||
id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t"
|
||||
path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
|
||||
<v:stroke joinstyle="miter"/>
|
||||
<v:formulas>
|
||||
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
|
||||
<v:f eqn="sum @0 1 0"/>
|
||||
<v:f eqn="sum 0 0 @1"/>
|
||||
<v:f eqn="prod @2 1 2"/>
|
||||
<v:f eqn="prod @3 21600 pixelWidth"/>
|
||||
<v:f eqn="prod @3 21600 pixelHeight"/>
|
||||
<v:f eqn="sum @0 0 1"/>
|
||||
<v:f eqn="prod @6 1 2"/>
|
||||
<v:f eqn="prod @7 21600 pixelWidth"/>
|
||||
<v:f eqn="sum @8 21600 0"/>
|
||||
<v:f eqn="prod @7 21600 pixelHeight"/>
|
||||
<v:f eqn="sum @10 21600 0"/>
|
||||
</v:formulas>
|
||||
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
|
||||
<o:lock v:ext="edit" aspectratio="t"/>
|
||||
<img src="/WebGoat/lesson_solutions/HttpBasics_files/webscarab1.jpg"></span></p>
|
||||
<img src="/WebGoat/lesson_solutions/HttpBasics_files/webscarab1.jpg">
|
||||
|
||||
<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
|
||||
field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
|
||||
|
||||
@ -1,189 +0,0 @@
|
||||
Detailed instructions for adding a lesson
|
||||
|
||||
All you have to do is implement the abstract methods in LessonAdapter.
|
||||
Follow the outline below.
|
||||
|
||||
WebGoat uses the Element Construction Set from the Jakarta project.
|
||||
You should read up on the API for ECS at
|
||||
http://jakarta.apache.org/site/downloads/downloads_ecs.cgi.
|
||||
In addition you can look at the other lessons for examples of how to use the ECS.
|
||||
|
||||
|
||||
|
||||
Step 1: Set up the framework
|
||||
|
||||
import java.util.*;
|
||||
import org.apache.ecs.*;
|
||||
import org.apache.ecs.html.*;
|
||||
|
||||
// Add copyright text - use text from another lesson
|
||||
|
||||
public class NewLesson extends LessonAdapter
|
||||
{
|
||||
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
return( new StringElement( "Hello World" ) );
|
||||
}
|
||||
|
||||
public String getCategory()
|
||||
{
|
||||
}
|
||||
|
||||
protected List getHints()
|
||||
{
|
||||
}
|
||||
|
||||
protected String getInstructions()
|
||||
{
|
||||
}
|
||||
|
||||
protected Element getMenuItem()
|
||||
{
|
||||
}
|
||||
|
||||
protected Integer getRanking()
|
||||
{
|
||||
}
|
||||
|
||||
public String getTitle()
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
Step 2: Implement createContent
|
||||
|
||||
Creating the content for a lesson is fairly simple. There are two main parts:
|
||||
(1) handling the input from the user's last request,
|
||||
(2) generating the next screen for the user.
|
||||
This all happens within the createContent method. Remember that each lesson
|
||||
should be handled on a single page, so you'll need to design your lesson to
|
||||
work that way. A good generic pattern for the createContent method is shown
|
||||
below:
|
||||
|
||||
// define a constant for the field name
|
||||
private static final String INPUT = "input";
|
||||
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
try
|
||||
{
|
||||
// get some input from the user -- see ParameterParser
|
||||
// for details
|
||||
String userInput = s.getParser().getStringParameter(INPUT, "");
|
||||
|
||||
// do something with the input
|
||||
// -- SQL query?
|
||||
// -- Runtime.exec?
|
||||
// -- Some other dangerous thing
|
||||
|
||||
// generate some output -- a string and an input field
|
||||
ec.addElement(new StringElement("Enter a string: "));
|
||||
ec.addElement( new Input(Input.TEXT, INPUT, userInput) );
|
||||
|
||||
// Tell the lesson tracker the lesson has completed.
|
||||
// This should occur when the user has 'hacked' the lesson.
|
||||
makeSuccess(s);
|
||||
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error generating " + this.getClass().getName());
|
||||
e.printStackTrace();
|
||||
}
|
||||
return (ec);
|
||||
}
|
||||
|
||||
ECS is quite powerful -- see the Encoding lesson for an example of how
|
||||
to use it to create a table with rows and rows of output.
|
||||
|
||||
|
||||
Step 3: Implement the other methods
|
||||
|
||||
The other methods in the LessonAdapter class help the lesson plug into
|
||||
the overall WebGoat framework. They are simple and should only take a
|
||||
few minutes to implement.
|
||||
|
||||
public String getCategory()
|
||||
{
|
||||
// The default category is "General" Only override this
|
||||
// method if you wish to create a new category or if you
|
||||
// wish this lesson to reside within a category other the
|
||||
// "General"
|
||||
|
||||
return( "NewCategory" ); // or use an existing category
|
||||
}
|
||||
|
||||
protected List getHints()
|
||||
{
|
||||
// Hints will be returned to the user in the order they
|
||||
// appear below. The user must click on the "next hint"
|
||||
// button before the hint will be displayed.
|
||||
|
||||
List hints = new ArrayList();
|
||||
hints.add("A general hint to put users on the right track");
|
||||
hints.add("A hint that gives away a little piece of the problem");
|
||||
hints.add("A hint that basically gives the answer");
|
||||
return hints;
|
||||
}
|
||||
|
||||
protected String getInstructions()
|
||||
{
|
||||
// Instructions will rendered as html and will appear below
|
||||
// the area and above the actual lesson area.
|
||||
// Instructions should provide the user with the general setup
|
||||
// and goal of the lesson.
|
||||
|
||||
return("The text that goes at the top of the page");
|
||||
}
|
||||
|
||||
protected Element getMenuItem()
|
||||
{
|
||||
// This is the text of the link that will appear on
|
||||
// the left hand menus under the appropriate category.
|
||||
// Their is a limited amount of horizontal space in
|
||||
// this area before wrapping will occur.
|
||||
|
||||
return( "MyLesson" );
|
||||
}
|
||||
|
||||
protected Integer getRanking()
|
||||
{
|
||||
// The ranking denotes the order in which the menu item
|
||||
// will appear in menu list for each category. The lowest
|
||||
// number will appear as the first lesson.
|
||||
|
||||
return new Integer(10);
|
||||
}
|
||||
|
||||
public String getTitle()
|
||||
{
|
||||
// The title of the lesson. This will appear above the
|
||||
// control area at the top of the page. This field will
|
||||
// be rendered as html.
|
||||
|
||||
return ("My Lesson's Short Title");
|
||||
}
|
||||
|
||||
|
||||
Step 4: Build and test
|
||||
|
||||
Once you've implemented your new lesson, you can test the lesson by
|
||||
starting the Tomcat server (within Eclipse). See the
|
||||
"HOW TO create the WebGoat workspace.txt" document in the WebGoat root.
|
||||
|
||||
|
||||
|
||||
|
||||
Step 5: Give back to the community
|
||||
|
||||
If you've come up with a lesson that you think helps to teach people about
|
||||
web application security, please contribute it by sending it to the people
|
||||
who maintain the WebGoat application.
|
||||
|
||||
Thanks!
|
||||
|
||||
The WebGoat Team.
|
||||
Binary file not shown.
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user