Appendix A: WebGoat lesson plans and solutions

Phase 1 (first 50% of project)

The zip file contains the WebGoat lesson plans and solutions. The current version needs some work (an index.html file, fix broken links, etc.) and a new version will be available on 28 July 2008 (note: the new version is available as of 27 July 2008).

Please see readme.txt for instructions. The specific lesson solutions in this zip file are the ones not in the Phase 2 zip file listed below.



Phase 2 (second 50% of project)

The zip files contain the WebGoat lesson solutions for the project lessons for Phase 2 that can be viewed off-line (meaning, not as a part of WebGoat plus with no broken links to the images). The files total around 12 meg but are broken into smaller chunks (unzip in the same directory). They allow someone to understand the WebGoat lessons fairly well without having to install and use WebGoat. Many images embedded in the pages are low-resolution *.png files; in the lesson's respective subdirectories, there are higher resolution *.jpg files which are helpful, for example, to get the exact text being used in WebScarab.









The lessons contained in the Phase 2 zip files are:

1.1 Http Basics

2.2 Bypass a Path Based Access Control Scheme

2.3 LAB: Role Based Access Control

3.1 LAB: DOM-Based cross-site scripting

3.2 LAB: Client Side Filtering

3.4 DOM Injection

3.5 XML Injection

3.6 JSON Injection

3.7 Silent Transactions Attacks

3.8 Dangerous Use of Eval

3.9 Insecure Client Storage

7.1 Thread Safety Problem

7.2 Shopping Cart Concurrency Flaw

8.3 Stored XSS Attacks

8.6 HTTPOnly Test

9.1 Denial of Service from Multiple Logins

12.1 Insecure Login

14.1 Encoding Basics

15.3 Bypass Client Side JavaScript Validation

16.1 Hijack a Session

16.2 Spoof an Authentication Cookie

16.3 Session Fixation

17.1 Create a SOAP Request

17.2 WSDL Scanning

All other lesson solutions are in the Phase 1 zip file.