Pull upstream changes from Jerry Hoff's branch

.gitignore

@@ -1,16 +1,14 @@
 # Project Files #
 #################
 *.userprefs
-WebGoat/WebGoat.NET.pidb
-WebGoat/bin
-WebGoat/obj
+*.pidb
+*swp
+bin
+obj
 WebGoat/App_Data/*.txt
-WebGoat/App_Data/.DS_Store
-WebGoat/App_Data/*.sqlite 
+*.sqlite*
 WebGoat/Configuration/*.config
 
 # Trash Files #
 ###############
 .DS_Store
-DB/.DS_Store
-WebGoat/DB_Scripts/.DS_Store

README

@@ -1,22 +1,64 @@
-
-	From the prompt, cd into the WebGoat.NET DB directory
+***************************** Webgoat.NET **********************************
+* Source Code: https://github.com/jerryhoff/WebGoat.NET
+* Download zip: https://github.com/jerryhoff/WebGoat.NET/zipball/master
+****************************************************************************
 
-        % cd /WebGoat.NET/DB
+This web application is a learning platform that attempts to teach about
+common web security flaws. It contains generic security flaws that apply to
+most web applications. It also contains lessons that specifically pertain to
+the .NET framework. The excercises in this app are intented to teach about 
+web security attacks and how developers can overcome them.
 
-    Start the mysql utility, giving the name (and password, if needed) of a user permission to create databases. For example, to use the default root user:
+WARNING: THIS WEB APPLICATION CONTAINS NUMEROUS SECURITY VULNERABILITIES 
+WHICH WILL RENDER YOUR COMPUTER VERY INSECURURE WHILE RUNNING! IT IS HIGHLY
+RECOMMENDED TO COMPLETELY DISCONNECT YOUR COMPUTER FROM ALL NETWORKS WHILE
+RUNNING!
 
-        % mysql --user=root 
+Notes:
+ - Google Chrome performs filtering for reflected XSS attacks. These attacks
+   will not work unless chrome is run with the argument 
+   --disable-xss-auditor. 
+- Some (but not all!) of the lessons require a working SQL database. Setup
+  guidelines are shown below.
 
-    Create the webgoat_coins database and load the schema. (Loading the schema the schema the first time will give error messages as it attemps to empty any existing tables, just ignore these.)
+How To Build And Run under Mac OS X and Linux:
+  1. Prerequisites
+     a. Mono framework for your respective OS. It can be downloaded at
+        http://www.go-mono.com/mono-downloads/download.html. Make sure
+        that ALL components get installed, including GTK and xsp.
+     b. A DB for some of the lessions. Sqlite3 is recommended as it's
+        faster and easier to use for the purposes of these lessions.
+        Binaries can be found here: http://www.sqlite.org/download.html
+  2. Install the mono framework and sqlite3 binaries.
+  3. IMPORTANT: Make sure that the the mono executable is in your PATH.
+  4. Grab WebGoat.NET and cd into the root dir.
+  5. Run 'xbuild'. There may be a few warnings but there should be no 
+     errors! If there are please let us know.
+  6. cd into the WebGoat project and run 'xsp4'. Then open your favorite
+     browser and go to http://localhost:8080 (or whatever port your
+     xsp4 is using if you're not using the default). Note: The first run
+     may take take some time as it's compiling everything on the fly.
+  7. If you see the WebGoat.NET page that means you're almost there! Next
+     step is to click on 'Set Up Database!'
+  8. You should see a form with a bunch of setup information for the
+     database. For 'Data Provider' choose Sqlite. For 'Data File Path' put
+     in 'db.sqlite3' and for 'Client Executable' put in the sqlite3
+     executable of your OS (usually /usr/bin/sqlite3).
+  9. Click on 'Test Configuration', followed by 'Rebuild Database' and
+     hopefully you should be good go! Enjoy your hackathon!
 
-        mysql> create database webgoat_coins; 
-		mysql> use webgoat_coins; 
-        mysql> source create_webgoatcoins.sql; 
-
-    Load the table contents:
-
-        mysql> source load_webgoatcoins.sql; 
-
-    Exit from mysql:
-
-        mysql> quit; 
+How to build and run under Windows:
+  1. Prerequisites:
+     a. Visual Studio 2010 and above.
+     b. Mysql database that's up and running with at least one user
+        aleady setup with full permissions.
+  2. Open WebGoat.sln file via Visual Studio, and click on debug.
+  3. You should see the WebGoat.NET page at which point click on
+     'Set Up Database'.
+  3. You should see a form with a bunch of setup information for the
+     database. For 'Data Provider' choose MySql. You'll need to fill in
+     the respective data entries for your mysql db. 'Client Executable'
+     and 'Data File Path' are not necessary for MySql so you can leave
+     them empty.
+  4. Click on 'Test Configuration', followed by 'Rebuild Database' and
+     hopefully you should be good go! Enjoy your hackathon!

WebGoat/App_Code/CustomerLoginData.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Web;
 
 namespace OWASP.WebGoat.NET
@@ -31,4 +30,4 @@ public String Message
         }
 
     }
-}
+}

WebGoat/App_Code/DB/DbConstants.cs

@@ -1,4 +1,5 @@
-using System;
+using System;
+using System.IO;
 
 namespace OWASP.WebGoat.NET.App_Code.DB
 {
@@ -18,10 +19,12 @@ public class DbConstants
         public const string DB_TYPE_MYSQL = "MySql";
         public const string DB_TYPE_SQLITE = "Sqlite";
         public const string CONFIG_EXT = "config";
-            
+
         //DB Scripts
-        public const string DB_CREATE_SCRIPT = "DB_Scripts/create_webgoatcoins.sql";
-        public const string DB_LOAD_MYSQL_SCRIPT = "DB_Scripts/load_webgoatcoins.sql";
-        public const string DB_LOAD_SQLITE_SCRIPT = "DB_Scripts/load_webgoatcoins_sqlite3.sql";
+        private const string SCRIPT_DIR = "DB_Scripts";
+        public static readonly string DB_CREATE_MYSQL_SCRIPT = Path.Combine(SCRIPT_DIR, "create_webgoatcoins.sql");
+        public static readonly string DB_CREATE_SQLITE_SCRIPT = Path.Combine(SCRIPT_DIR, "create_webgoatcoins_sqlite3.sql");
+        public static readonly string DB_LOAD_MYSQL_SCRIPT = Path.Combine(SCRIPT_DIR, "load_webgoatcoins.sql");
+        public static readonly string DB_LOAD_SQLITE_SCRIPT = Path.Combine(SCRIPT_DIR, "load_webgoatcoins_sqlite3.sql");
     }
 }

WebGoat/App_Code/DB/MySqlDbProvider.cs

@@ -103,7 +103,7 @@ public bool RecreateGoatDb()
 
             log.Info("Running recreate");
 
-            int retVal1 = Math.Abs(Util.RunProcessWithInput(_clientExec, args, DbConstants.DB_CREATE_SCRIPT));
+            int retVal1 = Math.Abs(Util.RunProcessWithInput(_clientExec, args, DbConstants.DB_CREATE_MYSQL_SCRIPT));
             int retVal2 = Math.Abs(Util.RunProcessWithInput(_clientExec, args, DbConstants.DB_LOAD_MYSQL_SCRIPT));
 
             return Math.Abs(retVal1) + Math.Abs(retVal2) == 0;