fc08681d89
1. Every text passage/label that appears in lessons must independent of the current language set for WebGoat.
2. Every lesson plan and solutions must be translated for each supported language.
Number 1 is achieved by using webgoat/util/WebgoatI18N.java and by having every output routed through this piece of code. You no longer say hints.add("Lesson Hint 1"); or ....addElement("Shopping Cart")) but you in the lesson you say hints.add(WebGoatI18N.get("Lesson Hint1")) or ....addElement(WebGoatI18N.get("Shopping Cart"). Then WebGoatI18N looks up the corresponding string for the language set as the current lanuage and returns it.
Number 2 is achieved by having subdirectories in lesson_plans corresponding to every language. That means, a lesson that has been translated to Spanish and German will be found in lesson_plans/English and lesson_plans/Spanish and lesson_plans/German.
This is how WebGoat finds out about available languages: in Course.java in loadResources() it looks for lesson plans.
Unlike before, now a lesson plan can be found multiple times in different "language" directories. So for every directory the lesson plan is found in, WebGoat associates this language with the lesson and also lets WebGoatI18N load the appropriate WebGoatLabels_$LANGAUGE$.properties file which contains the translations of labels.
So this is what you have to do for a new language:
First of all, you have to copy and translate every lesson plan that you need in the new language, and then you also have to create a WebGoatLabels_$LANGUAGE$.properties file with that labels that will be used in these lessons. Atm WebGoat crashes throws an exception when a label is missing but this can be sorted out quickly.
git-svn-id: http://webgoat.googlecode.com/svn/trunk@389 4033779f-a91e-0410-96ef-6bf7bf53c507
34 lines
1.3 KiB
HTML
34 lines
1.3 KiB
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b> Session Fixation</p>
|
|
</div>
|
|
|
|
<p><b>Concept / Topic To Teach:</b> </p>
|
|
How to steal a session with a 'Session Fixation'
|
|
<br>
|
|
<div align="Left">
|
|
<p>
|
|
<b>How the attacks works:</b>
|
|
</p>
|
|
A user is recognized by the server by an unique Session ID. If a
|
|
user has logged in and is authorized he does not have to
|
|
reauthorize when he revisits the application as the user is recognized
|
|
by the Session ID. In some applications it is possible to deliver
|
|
the Session ID in the Get-Request. Here is where the attack starts.
|
|
<br><br>
|
|
An attacker can send a hyperlink to a victim with a chosen Session ID.
|
|
This can be done for example by a prepared mail which looks like an
|
|
official mail from the application administrator.
|
|
If the victim clicks on the link and logs in he is authorized
|
|
by the Session ID the attacker has chosen. The attacker
|
|
can visit the page with the same ID and is recognized as the victim and
|
|
gets logged in without authorization.
|
|
</div>
|
|
<p><b>General Goal(s):</b> </p>
|
|
<!-- Start Instructions -->
|
|
This lesson has several stages. You play the attacker but also the victim.
|
|
After having done this lesson it should be understood how
|
|
a Session Fixation in general works. It should be also understood that
|
|
it is a bad idea to use the Get-Request for Session IDs.
|
|
<!-- Stop Instructions -->
|
|
|