dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
241 Commits 11 Branches 78 Tags
Commit Graph

111 Commits

Author SHA1 Message Date
rogan.dawes
a84d0e951d making ajax impovements 
Also convert SQL server file from Unix to DOS line endings


git-svn-id: http://webgoat.googlecode.com/svn/trunk@246 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:44:09 +00:00
rogan.dawes
12554493cd Change the default Oracle password back to webgoat (no _) 
No good reason to change it actually.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@243 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:14:27 +00:00
rogan.dawes
36b32849df Add support for MS SQL Server in the DB Labs 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@240 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:13:52 +00:00
rogan.dawes
900a222316 Change the default webgoat password 
Add an underscore to the password to allow us to keep the same
password across multiple platforms, including those that enforce
password quality (e.g. SQL Server)


git-svn-id: http://webgoat.googlecode.com/svn/trunk@239 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:13:21 +00:00
rogan.dawes
cb2a3784b6 Change DBSQLInjection lesson to count the matched rows 
This is an improvement over expecting the stored proc
to throw an exception, and is more portable


git-svn-id: http://webgoat.googlecode.com/svn/trunk@238 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:13:13 +00:00
rogan.dawes
1ce614f733 Merge with major changes made by Aspect 
Several new lessons added


git-svn-id: http://webgoat.googlecode.com/svn/trunk@236 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:12:31 +00:00
rogan.dawes
137b7c813c several minor bug fixes. 
UpdateProfile uses prepared statements.
ReflectedXSS "code" input field vulnerable to XSS.
Minor updates to concurrency cart


git-svn-id: http://webgoat.googlecode.com/svn/trunk@235 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:11:50 +00:00
rogan.dawes
d9cf56268e Fix line endings 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@229 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:49 +00:00
rogan.dawes
5457faf9a3 Add Rogan Dawes to the challenge screen as a contributor 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@227 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:09:33 +00:00
rogan.dawes
2fd09c3084 Add a new Concurrency lesson 
Created by Ryan Knell @Aspect Security


git-svn-id: http://webgoat.googlecode.com/svn/trunk@222 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-10 10:08:45 +00:00
mayhew64
3645564018 Added source parameter to "Show Java" for showing lesson source code. Added Google Mail configuration to UncheckedEmail lesson. 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@219 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-08 12:53:09 +00:00
mayhew64
23e7fe1f4f Build cleanup in order to create a complete developer distribution. More menu cleanup 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@217 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-03 21:09:17 +00:00
mayhew64
f6e0cb7ed0 Don't know what these are? 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@216 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-03 21:06:52 +00:00
mayhew64
c1f55215a8 Menu cleanup for Lab stages. Shortened menu names for most lessons. Changed category naming to be more meaningful. 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@214 4033779f-a91e-0410-96ef-6bf7bf53c507
 2008-01-02 13:48:19 +00:00
mayhew64
ee0bc82bec Single platform build.xml 
Modified Lesson banners
Solutions guide and framework

git-svn-id: http://webgoat.googlecode.com/svn/trunk@213 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-10-08 20:37:43 +00:00
rogan.dawes
a9fe7e6099 Implement non-coding modes for the labs 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@211 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:57:57 +00:00
rogan.dawes
b67bb702d2 Fix more places where the email address was hard-coded 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@208 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:56:35 +00:00
rogan.dawes
6de7bd9ec9 Fix the feedback address in other places 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@207 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:56:06 +00:00
rogan.dawes
d65f5bfd85 Make the stages not right aligned 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@206 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:55:57 +00:00
rogan.dawes
7fd112bc5d Update Random Access Lessons to not include the stage number in the text 
We add the stage number programmatically now, since we want to be able
to skip some stages.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@205 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-25 12:55:49 +00:00
rogan.dawes
fb76b4916f Unify web.xml files. Also update the webgoat contact email address 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@202 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:37:42 +00:00
rogan.dawes
f9b5f8eddf Show completion of individual lesson stages 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@201 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:37:31 +00:00
rogan.dawes
002dbbf53c Point the windows config file to use the HSQLDB database 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@198 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:36:11 +00:00
rogan.dawes
c1ddbd078f Correctly specify an in-memory database 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@195 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:35:31 +00:00
rogan.dawes
7af27f7d1b Make per-user in-memory databases actually work 
Previously we would just get a connection to the same database, regardless
of the user specified in the connect string. Trying to create
HSQLDB users did not seem to work. Non-ADMIN users don't have
CREATE TABLE privileges, it seems, and I couldn't find docs that
describe how to GRANT CREATE TABLE privileges. Go figure.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@192 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:34:53 +00:00
rogan.dawes
d04371884b Allow WebGoat to create per-user databases 
This creates the infrastructure to allow WebGoat to create per-user
databases, so that any modifications made by one user do not affect
other users. Some lessons may have made provision for this internally
(e.g. CrossSiteScripting lesson), but this simplifies things generally.

This also switches the default database from Access on windows, and
Enhydra on Unix/other platforms to using HSQLDB, in an "in-memory"
configuration. We may get performance problems from having too many
instances of the database in memory at once at sites that have 10's
of users banging on a central WebGoat. Only time will tell.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@190 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:34:14 +00:00
rogan.dawes
e41a5ca395 Removed unused code that was generating warnings 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@187 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:32:31 +00:00
rogan.dawes
d709ff9506 Fix warnings 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@185 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:31:42 +00:00
rogan.dawes
9ea97126b8 Use AbstractLesson.getLink() and getFormAction() more 
Rather than constructing URL's manually all the time, rather
make use of existing mechanisms to create the URL, and use
it consistently.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@184 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:31:11 +00:00
rogan.dawes
e27aaccb45 Make multi-stage lessons show the individual stages in the menu 
While we are about it, make AbstractLesson.getLink() include
the category (i.e. menu), so that the menu selection script
will still work.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@183 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:29:53 +00:00
rogan.dawes
84f3b5033d Minor changes to the challenge screen 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@181 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-18 13:29:15 +00:00
rogan.dawes
47a7619652 Fixes: Make sure procedures are created in the right scope/user 
Also, create the EMPLOYEE table first, since Oracle checks for it


git-svn-id: http://webgoat.googlecode.com/svn/trunk@176 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:56:41 +00:00
rogan.dawes
afb5b9e740 SQLPLUS does not process CREATE PROCEDURE lines without a trailing / 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@175 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:56:33 +00:00
rogan.dawes
7bb2c087a0 Add lesson plans for the DB labs 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@174 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:56:26 +00:00
rogan.dawes
d1fe861a75 Add a DB Cross Site Scripting lesson 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@173 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:56:13 +00:00
rogan.dawes
73035769aa Add stored procedures for the DB Cross Stie Scripting Lesson 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@172 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:55:32 +00:00
rogan.dawes
bc2faede19 Add a new DBSQLInjection lesson 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@171 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:55:23 +00:00
rogan.dawes
17fe003f2f Add stored procedures for the SQL Injection lesson 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@170 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:54:33 +00:00
rogan.dawes
1bcb2f6539 Add an SQL file to set up the Oracle DB and WebGoat user 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@169 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:54:23 +00:00
rogan.dawes
26ed31df68 Only show the stage controls if the lesson is not complete 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@167 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:53:59 +00:00
rogan.dawes
cb794dcb50 Calculate the stage changes correctly 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@161 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:52:23 +00:00
rogan.dawes
851974d7ce Remove strange stage transition code. 
It may be necessary, but I can't figure out what it is supposed to be doing


git-svn-id: http://webgoat.googlecode.com/svn/trunk@160 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:52:07 +00:00
rogan.dawes
2bda4a81f3 Migrate the labs to direct/Random access stages 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@158 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:51:29 +00:00
rogan.dawes
f5e56c7081 Extract the stage-related code from LessonTracker into SequentialLessonTracker 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@157 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-11 12:50:32 +00:00
rogan.dawes
a1d52a73e0 Introduce the GoatHillsFinancial "lesson" 
This "lesson" is to be used as a base for the rest of the
LAB lessons. This should help to reduce the amount of
duplication across the lessons.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@150 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-10 11:56:00 +00:00
rogan.dawes
3c2e63636c Provide a user-accessible mechanism for skipping stages 
Initially, this is only available when in debug mode
i.e. add &debug=true to the URL or set the flag in web.xml


git-svn-id: http://webgoat.googlecode.com/svn/trunk@146 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-07-10 11:54:12 +00:00
esheri3
20484796f9 EditProfile.jsp was missing a closing div tag. Removed some unused imports in LessonSource.java 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@124 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-04-05 15:33:51 +00:00
mayhew64
25f47916cc Rename CookieCatcher to Catcher 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@121 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-03-20 19:05:46 +00:00
mayhew64
e2e98574b5 Detailed new lesson instructions 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@120 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-03-19 19:07:00 +00:00
mayhew64
34fca43216 New Phishing Lesson 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@119 4033779f-a91e-0410-96ef-6bf7bf53c507
 2007-03-19 17:47:37 +00:00