dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,884 Commits 11 Branches 78 Tags
Commit Graph

3884 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
rogan.dawes
900a222316 Change the default webgoat password 
Add an underscore to the password to allow us to keep the same
password across multiple platforms, including those that enforce
password quality (e.g. SQL Server)


git-svn-id: http://webgoat.googlecode.com/svn/trunk@239 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:13:21 +00:00
rogan.dawes
cb2a3784b6 Change DBSQLInjection lesson to count the matched rows 
This is an improvement over expecting the stored proc
to throw an exception, and is more portable


git-svn-id: http://webgoat.googlecode.com/svn/trunk@238 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:13:13 +00:00
rogan.dawes
0149a699a3 minor bug fixes. 
Minor updates to concurrency cart


git-svn-id: http://webgoat.googlecode.com/svn/trunk@237 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:12:44 +00:00
rogan.dawes
1ce614f733 Merge with major changes made by Aspect 
Several new lessons added


git-svn-id: http://webgoat.googlecode.com/svn/trunk@236 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:12:31 +00:00
rogan.dawes
137b7c813c several minor bug fixes. 
UpdateProfile uses prepared statements.
ReflectedXSS "code" input field vulnerable to XSS.
Minor updates to concurrency cart


git-svn-id: http://webgoat.googlecode.com/svn/trunk@235 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:11:50 +00:00
rogan.dawes
6c9c53b938 Remove some unused imports 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@234 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:11:27 +00:00
rogan.dawes
c3cee22113 Fix database connetion handling. 
Oracle requires us to close our connections after each
request (or else implement a connection pool), otherwise
we will end up running out of available connections.

While the mechanism for doing this was added in a previous
change, actually using it correctly was omitted somehow.
Fix that now.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@233 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:11:12 +00:00
rogan.dawes
aab0125c50 Synchronize access to the DatabaseUtilities core methods 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@232 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:10:39 +00:00
rogan.dawes
531991f26d Replace the "Stage n" text in the instructions 
Since we now use a link in the menu to choose a stage, rather than the
drop down, we need the Stage number to be visible


git-svn-id: http://webgoat.googlecode.com/svn/trunk@231 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:10:29 +00:00
rogan.dawes
8b21a7785e Update the DB lessons 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@230 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:10:10 +00:00
rogan.dawes
d9cf56268e Fix line endings 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@229 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:49 +00:00
rogan.dawes
427832411c Fix line endings 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@228 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:41 +00:00
rogan.dawes
5457faf9a3 Add Rogan Dawes to the challenge screen as a contributor 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@227 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:33 +00:00
rogan.dawes
647c0c4a34 Allow accessing Web Services when WebGoat is on a non-standard port 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@226 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:27 +00:00
rogan.dawes
64ce7068c4 Move the Thread Safety lesson into the Concurrency category 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@225 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:13 +00:00
rogan.dawes
92072f3921 Update the Challenge Stage 2 to be more realistic 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@224 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:00 +00:00
rogan.dawes
af8e61eb9f Change the line endings on the instructions 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@223 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:08:48 +00:00
rogan.dawes
2fd09c3084 Add a new Concurrency lesson 
Created by Ryan Knell @Aspect Security


git-svn-id: http://webgoat.googlecode.com/svn/trunk@222 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:08:45 +00:00
mayhew64
3b128c8ebb Removed space from path information 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@221 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-09 19:50:49 +00:00
mayhew64
84ca966ce5 Added client side validation to HiddenFieldTampering.java, added a new ECS makeButton with a OnClick function, corrected authorship in several files 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@220 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-09 13:28:07 +00:00
mayhew64
3645564018 Added source parameter to "Show Java" for showing lesson source code. Added Google Mail configuration to UncheckedEmail lesson. 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@219 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-08 12:53:09 +00:00
mayhew64
d92c716ff4 Added source parameter to "Show Java" for showing lesson source code. Added Google Mail configuration to UncheckedEmail lesson. 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@218 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-08 12:51:13 +00:00
mayhew64
23e7fe1f4f Build cleanup in order to create a complete developer distribution. More menu cleanup 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@217 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-03 21:09:17 +00:00
mayhew64
f6e0cb7ed0 Don't know what these are? 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@216 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-03 21:06:52 +00:00
mayhew64
822ce10ca2 5.1 RC2 build updates 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@215 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-02 14:05:58 +00:00
mayhew64
c1f55215a8 Menu cleanup for Lab stages. Shortened menu names for most lessons. Changed category naming to be more meaningful. 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@214 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-02 13:48:19 +00:00
mayhew64
ee0bc82bec Single platform build.xml 
Modified Lesson banners
Solutions guide and framework

git-svn-id: http://webgoat.googlecode.com/svn/trunk@213 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-10-08 20:37:43 +00:00
rogan.dawes
a9fe7e6099 Implement non-coding modes for the labs 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@211 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:57:57 +00:00
rogan.dawes
f62eb33c4b Commit Dave's fixes 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@210 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:57:17 +00:00
rogan.dawes
d9979e46ed Another place where we need to compare without case 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@209 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:56:51 +00:00
rogan.dawes
b67bb702d2 Fix more places where the email address was hard-coded 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@208 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:56:35 +00:00
rogan.dawes
6de7bd9ec9 Fix the feedback address in other places 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@207 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:56:06 +00:00
rogan.dawes
d65f5bfd85 Make the stages not right aligned 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@206 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:55:57 +00:00
rogan.dawes
7fd112bc5d Update Random Access Lessons to not include the stage number in the text 
We add the stage number programmatically now, since we want to be able
to skip some stages.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@205 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:55:49 +00:00
rogan.dawes
add34a24dc Make the test for the Auth header name case-insensitive 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@204 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:55:18 +00:00
rogan.dawes
043c0e5926 Remove Microsoft quotes 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@203 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:37:58 +00:00
rogan.dawes
fb76b4916f Unify web.xml files. Also update the webgoat contact email address 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@202 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:37:42 +00:00
rogan.dawes
f9b5f8eddf Show completion of individual lesson stages 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@201 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:37:31 +00:00
rogan.dawes
a2f99be11a Remove unnecessary setMessage() calls 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@200 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:37:24 +00:00
rogan.dawes
f831487fa2 Add descriptions to the stages 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@199 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:36:42 +00:00
rogan.dawes
002dbbf53c Point the windows config file to use the HSQLDB database 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@198 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:36:11 +00:00
rogan.dawes
5fd4b44303 Fix line endings 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@197 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:36:02 +00:00
rogan.dawes
c65faceb1a A recent change to AbstractLesson.getLink() broke visit tracking 
Fix the lesson tracking to be more specific.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@196 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:35:42 +00:00
rogan.dawes
c1ddbd078f Correctly specify an in-memory database 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@195 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:35:31 +00:00
rogan.dawes
ee8e9d91bb Mark SequentialLessonAdapter as abstract to prevent instantiation 
Otherwise it shows up as an "Untitled Lesson"


git-svn-id: http://webgoat.googlecode.com/svn/trunk@194 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:35:22 +00:00
rogan.dawes
0c2e04c655 Remove unused import 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@193 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:35:06 +00:00
rogan.dawes
7af27f7d1b Make per-user in-memory databases actually work 
Previously we would just get a connection to the same database, regardless
of the user specified in the connect string. Trying to create
HSQLDB users did not seem to work. Non-ADMIN users don't have
CREATE TABLE privileges, it seems, and I couldn't find docs that
describe how to GRANT CREATE TABLE privileges. Go figure.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@192 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:34:53 +00:00
rogan.dawes
cf047786f3 An INSERT statement cannot be executed as a query 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@191 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:34:31 +00:00
rogan.dawes
d04371884b Allow WebGoat to create per-user databases 
This creates the infrastructure to allow WebGoat to create per-user
databases, so that any modifications made by one user do not affect
other users. Some lessons may have made provision for this internally
(e.g. CrossSiteScripting lesson), but this simplifies things generally.

This also switches the default database from Access on windows, and
Enhydra on Unix/other platforms to using HSQLDB, in an "in-memory"
configuration. We may get performance problems from having too many
instances of the database in memory at once at sites that have 10's
of users banging on a central WebGoat. Only time will tell.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@190 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:34:14 +00:00
rogan.dawes
9d19fa2433 Remove unused code to clean up warnings 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@189 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:33:14 +00:00