dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/main/project/JavaSource/WebGoatLabels_english.properties

242 lines
15 KiB
Properties
Raw Blame History

#General
LessonCompleted=Congratulations. You have successfully completed this lesson.
RestartLesson=Restart this Lesson
SolutionVideos=Solution Videos
ErrorGenerating=Error generating
InvalidData=Invalid Data
#HttpBasics.java
EnterYourName=Enter your Name
Go!=Go!
#BasicAuthentication.java
BasicAuthHeaderNameIncorrect=Basic Authentication header name is incorrect.
BasicAuthHeaderValueIncorrect=Basic Authentication header value is incorrect.
BasicAuthenticationWhatIsNameOfHeader=What is the name of the authentication header:
BasicAuthenticationWhatIsDecodedValueOfHeader=What is the decoded value of the authentication header:
Submit=Submit
BasicAuthenticationGreenStars1=Close your browser and login as
BasicAuthenticationGreenStars2= to get your green stars back.
BasicAuthenticationStage1Completed=Congratulations, you have figured out the mechanics of basic authentication.  - Now you must try to make WebGoat reauthenticate you as:     - username: basic     - password: basic. Use the Basic Authentication Menu to start at login page.
BasicAuthenticationAlmostThere1=You're almost there! You've modified the
BasicAuthenticationAlmostThere2= header but you are still logged in as
BasicAuthenticationAlmostThere3=. Look at the request after you typed in the 'basic' user credentials and submitted the request. Remember the order of events that occur during Basic Authentication.
BasicAuthenticationReallyClose=You're really close! Changing the session cookie caused the server to create a new session for you. This did not cause the server to reauthenticate you. When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> &nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>
BasicAuthenticationUseTheHints=Use the hints! One at a time...
BasicAuthenticationHint1=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies.
BasicAuthenticationHint2=Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials.
BasicAuthenticationHint3=Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials.
BasicAuthenticationHint4=Use WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie.
BasicAuthenticationHint5=Basic authentication uses a cookie to pass the credentials. Use a proxy to intercept the request. Look at the cookies.
BasicAuthenticationHint6=Before the WebServer requests credentials from the client, the current session is checked for validitity.
BasicAuthenticationHint7=If the session is invalid the webserver will use the basic authentication credentials
BasicAuthenticationHint8=If the session is invalid and the basic authentication credentials are invalid, new credentials will be requested from the client.
BasicAuthenticationHint9=Intercept the request and corrupt the JSESSIONID and the Authorization header.
#WeakAuthenticationCookie.java
InvalidCookie=Invalid cookie
IdentityRemembered=Your identity has been remembered
InvalidUsernameAndPassword=Invalid username and password entered.
UserName=User Name
Password=Password
Login=Login
RequiredFields=Required Fields
WeakAuthenticationCookiePleaseSignIn=Please sign in to your account. See the OWASP admin if you do not have an account.
SignIn=Sign in
PasswordForgotten=Goodbye! Your password has been forgotten
WelcomeUser=Welcome,
YouHaveBeenAuthenticatedWith=You have been authenticated with
Logout=Logout
Refresh=Refresh
WeakAuthenticationCookieHints1=The server authenticates the user using a cookie, if you send the right cookie.
WeakAuthenticationCookieHints2=Is the AuthCookie value guessable knowing the username and password?
WeakAuthenticationCookieHints3=Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>.
WeakAuthenticationCookieHints4=After logging in as webgoat a cookie is added. 65432ubphcfx<br/>After logging in as aspect a cookie is added. 65432udfqtb<br/>Is there anything similar about the cookies and the login names?
#RemoteAdminFlaw.java
RemoteAdminFlawHint1=WebGoat has 2 admin interfaces.
RemoteAdminFlawHint2=WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'
RemoteAdminFlawHint3=WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'
RemoteAdminFlawHint4=Follow the Source!
RemoteAdminFlawHint5=On success you will see new submenu items in the menupoint 'Admin Functions'
#PathBasedAccessControl.java
CurrentDirectory=Current Directory is:
ChooseFileToView=Choose the file to view:
ViewFile=View File
AccessDenied=Access denied
ItAppears1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see one file in this directory.
ItAppears2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. You are only allowed to see files in the webgoat directory.
CongratsAccessToFileAllowed=Congratulations! Access to file allowed
FileInAllowedDirectory=File is already in allowed directory - try again!
AccessToFileDenied1=Access to file/directory "
AccessToFileDenied2=" denied
FileTooLarge=File is too large
FileBinary=File is binary
TheFollowingError=The following error occurred while accessing the file: <
PathBasedAccessControlInstr1=The '
PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory. Try to break the access control mechanism and access a resource that is not in the listed directory. After selecting a file to view, WebGoat will report if access to the file was granted. An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml
ErrorGenerating=Error generating
ViewingFile=Viewing file:
File=File:
Dir=Dir:
IsFile= - isFile():
Exists= - exists():
PathBasedAccessControlHint1=Most operating systems allow special characters in the path.
PathBasedAccessControlHint2=Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory");
PathBasedAccessControlHint3=Try .. in the path
PathBasedAccessControlHint4=Try ..\\..\\..\\LICENSE
#CommandInjection.java
Command=Command
CommandInjectionRightTrack1=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig.
CommandInjectionRightTrack2=It appears that you are on the right track. Commands that may compromise the operating system have been disabled. This lesson is a command injection lesson, not access control.
YouAreCurrentlyViewing=You are currently viewing:
SelectFileFromListBelow=select file from list below
SelectLessonPlanToView=Select the lesson plan to view:
View=View
CommandInjectionHint1=The application is using a system command to return the contents of a file.
CommandInjectionHint2=The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)
CommandInjectionHint3=Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix.
CommandInjectionHint4=Note that the server may enclose the submitted file name within quotes
#NumericSqlInjection.java
NumericSqlInjectionSecondStage=Bet you can't do it again! This lesson has detected your successfull attack and has now switched to a defensive mode. Try again to attack a parameterized query.
NoResultsMatched=No results matched. Try Again.
NumericSqlInjectionSecondStage2=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query.
ErrorParsingAsNumber=Error parsing station as a number:
SelectYourStation=Select your local weather station:
SqlNumericInjectionHint1=The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.
SqlNumericInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br>"SELECT * FROM weather_data WHERE station = " + station
SqlNumericInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true.
SqlNumericInjectionHint4=Try to intercept the post request with WebScarab and replace the station with [ 101 OR 1 = 1 ].
#StringSqlInjection.java
StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query.
EnterLastName=Enter your last name:
NoResultsMatched=No results matched. Try Again.
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
#LogSpoofing.java
LoginFailedForUserName=Login failed for username
LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME
LogSpoofingHint1=Try to fool the human eye by using new lines.
LogSpoofingHint2=Use CR (%0d) and LF (%0a) for a new line.
LogSpoofingHint3=Try: Smith%0d%0aLogin Succeeded for username: admin
LogSpoofingHint4=Try: Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;
#StoredXss.java
StoredXssHint1=You can put HTML tags in your message.
StoredXssHint1=Bury a SCRIPT tag in the message to attack anyone who reads it.
StoredXssHint1=Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field.
StoredXssHint1=Enter this: &lt;script&gt;alert(document.cookie);&lt;/script&gt; in the message field.
MessageContentsFor=Message Contents For
Title=Title
PostedBy=Posted by
CouldNotFindMessage=Could not find this message
Message=Message
MessageList=Message List
CouldNotAddMessage=Could not add message to database
ErroGeneratingMessageList=Error while getting message list.
#ReflectedXSS.java
ReflectedXSSWhoops1=Whoops! You entered
ReflectedXSSWhoops2= instead of your three digit code. Please try again.
ShoppingCart=Shopping Cart
ShoppingCartItems=Shopping Cart Items -- To Buy Now
Price=Price
Quantity=Quantity
Total=Total
TotalChargedCreditCard=The total charged to your credit card
UpdateCart=UpdateCart
EnterCreditCard=Enter your credit card number
Enter3DigitCode=Enter your three digit access code
Purchase=Purchase
ReflectedXSSHint1=A simple script is &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.
ReflectedXSSHint2=Can you get the script to disclose the JSESSIONID cookie?
ReflectedXSSHint3=You can use &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; to access the session id cookie
ReflectedXSSHint4=Can you get the script to access the credit card form field?
ReflectedXSSHint5=Try a cross site trace (XST) Command:<br>&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); document.write(str1);}&lt;/script&gt;");
#HtmlClues.java
HtmlCluesBINGO=BINGO -- admin authenticated
HtmlCluesHint1=You can view the HTML source by selecting 'view source' in the browser menu.
HtmlCluesHint2=There are lots of clues in the HTML
HtmlCluesHint3=Search for the word HIDDEN, look at URLs, look for comments.
#JavaScriptValidation.java
3LowerCase=Field1: exactly three lowercase characters
Exactly3Digits=Field2: exactly three digits
LettersNumbersSpaceOnly=Field3: letters, numbers, and space only
EnumerationOfNumbers=Field4: enumeration of numbers
SimpleZipCode=Field5: simple zip code
ZIPDashFour=Field6: zip with optional dash four
USPhoneNumber=Field7: US phone number with or without dashes
ServerSideValidationViolation=Server side validation violation: You succeeded for
JavaScriptValidationHint1=The validation is happening in your browser.
JavaScriptValidationHint2=Try modifying the values with a proxy after they leave your browser
JavaScriptValidationHint3=Another way is to delete the JavaScript before you view the page.
#HiddenFieldTampering.java
TotalPriceIs=Your total price is
ThisAmountCharged=This amount will be charged to your credit card immediately.
HiddenFieldTamperingHint1=This application is using hidden fields to transmit price information to the server.
HiddenFieldTamperingHint2=Use a program to intercept and change the value in the hidden field.
HiddenFieldTamperingHint3=Use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to change the price of the TV from "
HiddenFieldTamperingHint32= to
# Modify data with SQL Injection
EnterUserid=Enter your userid:
SqlModifyDataHint1=You can use SQL Injection to execute more than one SQL statement.
SqlModifyDataHint2=Use a semicolon (;) to separate SQL statements.
SqlModifyDataHint3=Modify data using a SQL UPDATE Statement.
SqlModifyDataHint4=For details and examples for SQL UPDATE statements, see <A href=\"http://www.w3schools.com/SQl/sql_update.asp\">http://www.w3schools.com/SQl/sql_update.asp</A>
SqlModifyDataHint5=SOLUTION:<br/>foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith
# Modify data with SQL Injection
SqlAddDataHint1=You can use SQL Injection to execute more than one SQL statement.
SqlAddDataHint2=Use a semicolon (;) to separate SQL statements. You will also need to comment out some characters that come after the injection with a double hyphen (--).
SqlAddDataHint3=Modify data using a SQL INSERT Statement.
SqlAddDataHint4=For details and examples for SQL INSERT statements, see <A href=\"http://www.w3schools.com/SQl/sql_insert.asp\">http://www.w3schools.com/SQl/sql_insert.asp</A>
SqlAddDataHint5=SOLUTION:<br/>bar'; INSERT INTO salaries VALUES ('cwillis', 999999); --
# Bypass Html Field Restrictions
BypassHtmlFieldRestrictionsHint1=You must re-enable the disabled form field or manually add its parameter name to your request.
BypassHtmlFieldRestrictionsHint2=You can use <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A> to intercept requests and make changes.
BypassHtmlFieldRestrictionsHint3=Rather than using <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">WebScarab</A>, you could instead use the <A href=\"http://chrispederick.com/work/web-developer/\">Web Developer</a> and/or <A href=\"http://devels-playground.blogspot.com/\">Hackbar</a> Firefox extensions to complete this lesson.
Reference in New Issue View Git Blame Copy Permalink