WebGoat/src/main/resources/lessons/xss/html/CrossSiteScripting.html

<!DOCTYPE html>

<html xmlns:th="http://www.thymeleaf.org">

<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_plan.adoc}"></div>
</div>

<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content1.adoc}"></div>
	<div class="attack-container">
		<div id="lessonContent">
			<form class="attack-form" accept-charset="UNKNOWN"
				  method="POST" name="form"
				  action="CrossSiteScripting/attack1">
				<table>
					<tr>
						<td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
						<td><input
								name="answer" value="Submit" type="SUBMIT"/></td>
						<td></td>
					</tr>
				</table>
			</form>
		</div>
		<div class="attack-feedback"></div>
		<div class="attack-output"></div>
	</div>
</div>
<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content2.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content3.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content4.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content5.adoc}"></div>
	<img align="middle" th:src="@{/images/Reflected-XSS.png}" />
</div>
<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content5a.adoc}"></div>
	<div class="attack-container">
		<div id="lessonContent">
			<form class="attack-form" accept-charset="UNKNOWN"
				  method="GET" name="xss-5a"
				  action="CrossSiteScripting/attack5a">
				<center>
					<h4>Shopping Cart</h4>
				</center>
				<table width="90%" cellspacing="0" cellpadding="2" border="1"
					   align="center">
					<tbody>
					<tr>
						<th width="80%">Shopping Cart Items -- To Buy Now</th>
						<th width="10%">Price</th>
						<th width="3%">Quantity</th>
						<th width="7%">Total</th>
					</tr>
					<tr>
						<td>Studio RTA - Laptop/Reading Cart with Tilting Surface -
							Cherry</td>
						<td align="right">69.99</td>
						<td align="right"><input size="6" value="1" name="QTY1"
												 type="NUMBER" /></td>
						<td>$0.00</td>
					</tr>
					<tr>
						<td>Dynex - Traditional Notebook Case</td>
						<td align="right">27.99</td>
						<td align="right"><input size="6" value="1" name="QTY2"
												 type="NUMBER" /></td>
						<td>$0.00</td>
					</tr>
					<tr>
						<td>Hewlett-Packard - Pavilion Notebook with Intel Centrino</td>
						<td align="right">1599.99</td>
						<td align="right"><input size="6" value="1" name="QTY3"
												 type="NUMBER" /></td>
						<td>$0.00</td>
					</tr>
					<tr>
						<td>3 - Year Performance Service Plan $1000 and Over</td>
						<td align="right">299.99</td>
						<td align="right"><input size="6" value="1" name="QTY4"
												 type="NUMBER" /></td>
						<td>$0.00</td>
					</tr>
					</tbody>
				</table>
				<table width="90%" cellspacing="0" cellpadding="2"
					   align="center">
					<tbody>
					<tr>
						<td>Enter your credit card number:</td>
						<td><input name="field1" value="4128 3214 0002 1999"
								   type="TEXT" /></td>
					</tr>
					<tr>
						<td>Enter your three digit access code:</td>
						<td><input name="field2" value="111" type="TEXT" /></td>
					</tr>
					<br/>
					<tr>
						<td colspan="3" align="center"><input name="SUBMIT" class="btn btn-primary"
															  value="Purchase" type="SUBMIT" /></td>
					</tr>
					</tbody>
				</table>
				<hr width="90%"/>
			</form>
		</div>
		<div class="attack-feedback"></div>
		<div class="attack-output"></div>
	</div>

</div>

<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content5b.adoc}"></div>

</div>

<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content6.adoc}"></div>
</div>

<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content6a.adoc}"></div>
	<div class="attack-container">
		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
		<form class="attack-form" accept-charset="UNKNOWN"
			  method="POST" name="DOMTestRoute"
			  action="CrossSiteScripting/attack6a">
			<input name="DOMTestRoute" value="" type="TEXT" />
			<input name="SubmitTestRoute" value="Submit" type="SUBMIT"/>
		</form>
		<div class="attack-feedback"></div>
		<div class="attack-output"></div>
	</div>
</div>

<div class="lesson-page-wrapper">
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content6b.adoc}"></div>
	<div class="attack-container">
		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
		<form class="attack-form" accept-charset="UNKNOWN"
			  method="POST" name="DOMFollowUp"
			  action="CrossSiteScripting/dom-follow-up">
			<input name="successMessage" value="" type="TEXT" />
			<input name="submitMessage" value="Submit" type="SUBMIT"/>
		</form>
		<div class="attack-feedback"></div>
		<div class="attack-output"></div>
	</div>
</div>

<div class="lesson-page-wrapper">
	<span id="quiz_id" data-quiz_id="cross_site_scripting"></span>
	<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
	<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
	<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_quiz.adoc}"></div>
	<div class="attack-container">
		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
		<div class="container-fluid">
			<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
				  method="POST" name="form"
				  action="CrossSiteScripting/quiz" role="form">
				<div id="q_container"></div>
				<br />
				<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
			</form>
		</div>
		<div class="attack-feedback"></div>
		<div class="attack-output"></div>
	</div>
</div>
</html>