Labs: Navigating to Instructor java examples #206
Comments
|
I grabbed the instructor code from the Legacy Webgoat code base, no problem. HOWEVER, when I run through the XSS lab now, it appears that the default (unfixed, and not instructor) version of the lab already has Stage 1 fixed. (I put an XSS into the street address as Tom, but it displays as ".script.". Was this on purpose? Am I missing something? |
|
The XSS lab had a bug that was fixed but not released. If you build from master, it should work. I may be confusing XSS labs though. Also, the instructor stuff was;t ported. If you have it ported into the individual lessons please commit it back. If not, the team will eventually get to it. Let us known. |
|
Thanks for the quick reply. I did build from the latest src tree, pulled down fresh from github, FYI. After diving through this in more detail, I think I can shed some light on what’s happening.
The parser class method, getStringParameter, converts “dangerous” characters like “<" and “>" into “.” Thus, the lab’s Stage 1 is already fixed, albeit not very well. However, in the original still-broken Stage 1 lab, which can be found in WebGoat-Lessons/cross-site-sripting/… the UpdateProfile.java uses a simple HTTP Request to read the address1 string, String address1 = request.getParameter(CrossSiteScripting.ADDRESS1); In prior versions of WebGoat, the students had to either us an in-line regex to validate address1 on input, or convert to the parser class and validate that way. Clearly, it’s your call how to do this. I’m not questioning that. I’m merely pointing out that this is a pretty major departure from the prior LAB on XSS. Also, I should point out that the old style code still resides out in WebGoat-Lessons/cross-site-scripting/… So, there are two versions of each of the lab java files floating around the src tree. That said, in WebGoat-Lessons/cross-site-scripting/…/CrossSiteScripting.java, the code is clearly using the versions in WebGoat-Lessons/goat-hills-financial as follows: import org.owasp.webgoat.plugin.GoatHillsFinancial.DeleteProfile; Just thought you should know. There are, of course, any number of ways to proceed, but I thought you should be aware of this. Cheers, Ken van Wyk |
|
Renamed the classes, the classnames now reflect the lesson name so much less confusion |
|
@krvw the instructions are again part of the lessons (see instructor packages in the Goathill labs) |
Enjoying learning the new WebGoat, thanks all!
Question/issue: I use WG in classes often. When running students through the labs, I would often pull up the instructor version of a lab to show them how to implement a solution. These documented instructor versions of each lab were always easy to navigate to in Eclipse until now.
I suspect I'm just being dense and missing where they are now, but could you please point me to the instructor .java files?
A quick guide on how to import WebGoat into Eclipse so that it can build and run from within Eclipse would also be awesome, BTW. Happy to help.
The text was updated successfully, but these errors were encountered: