dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
René Zubcevic d1e44bbc98
Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645) 
* better check on host and port for password reset and make context roots more flexible

* spotless applied

* removed hardcoded /WebGoat from js

* removed hardcoded /WebGoat from js

* fix spotless

* fix scoreboard

* upgrade WebWolf bootstrap version and icons and templates - part 1

* fixed more bootstrap 5 style issues and context path issues

* organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed)

* spotless applied

* added mock bean

* requires updates to properties - commented for now

* requires updates to properties - commented for now

* oauth secrets through env values

* user creation after oauth login

* integration test against non default context paths

* adjusted StartupMessage

* add global model element username

* conditionally show login oauth links

* fixed WebWolf login

---------

Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
2023-11-14 10:01:59 +01:00

43 lines
4.8 KiB
Properties
Raw Blame History

# XSS success, failure messages and hints
4.xss.title=Cross Site Scripting
5.xss-stored.title=Cross Site Scripting (stored)
6.xss-mitigation.title=Cross Site Scripting (mitigation)
xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.
xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
xss-reflected-5a-failure=Try again. We do want to see a specific JavaScript mentioned in the goal of the assignment (in case you are trying to do something fancier).
xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?
xss-reflected-5a-hint-4=Just try purchasing something. You want your script to be included in the purchase-confirmation.
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it will not execute (because of response type). Try it if you like.</li></ul>
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
xss-reflected-6a-failure=Sorry that is not correct. Look at the example again to understand what a valid route looks like. If you're stuck... hints might help.
xss-reflected-6a-hint-1=To search through the client side code, use the developer tools of your browser. (If you don't know how to use them, check the <i>Developer Tools</i> Lesson in the general category.)
xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
xss-reflected-6a-hint-4=Still did not find it? Check the <a href="js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
xss.lesson1.failure=The cookies should be the same on both tabs. Ensure that the tabs are from the same site.
xss-dom-message-success=Correct, I hope you did not cheat, using the console!
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.
xss-dom-message-hint-2=Your url should look something like that http://localhost:8080/WebGoat/start.mvc#REPLACE-WITH-THE-TEST-ROUTE/some_parameters
xss-dom-message-hint-3=Note how the parameters you send to the test-route get reflected back to the page. Now add your JavaScript to it.
xss-dom-message-hint-4=You have to use script tags, so your JavaScript code gets executed when being rendered into the DOM.
xss-dom-message-hint-5=Since you are working with an URL, you might have to URL-encode your parameters.
xss-dom-message-hint-6=Replace '/' with '%2F' in your URL parameters.
xss-stored-comment-success=It appears your payload should invoke the function. To tell for sure, you need to capture the value and put it in the form below. Then we will really know.
xss-stored-comment-failure=We cannot see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).
xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called).
xss-mitigation-3-hint1=You do not store the user input in this example. Try to encode the user's input right before you place it into the HTML document.
xss-mitigation-3-hint2=Make use of JavaServer Pages Standard Tag Library (JSTL) and JSP Expression Language.
xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project.
xss-mitigation-3-hint4=Do not forget to reference the tag libs and choose "e" as prefix.
xss-mitigation-3-success=You have completed this lesson. Congratulations!
xss-mitigation-3-failure=This in not the correct answer. Try again!
xss-mitigation-3-no-code=You did not change anything.
xss-mitigation-4-hint1=Try to have a look at the AntiSamy documentation.
xss-mitigation-4-success=You have completed this lesson. Congratulations!
xss-mitigation-4-failed=This is not the correct answer. Try again!
Reference in New Issue View Git Blame Copy Permalink