Cleanup of vulnerable components

webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc

@@ -1,6 +1,6 @@
 == What is SQL Injection?
 
-=== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application
+==== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application
 
 === A successful SQL injection exploit can:
 * Read and modify sensitive data from the database

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java

@@ -86,13 +86,11 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
             return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build());
 
         } catch (com.thoughtworks.xstream.converters.ConversionException ex) {
-        	ex.printStackTrace();
         	if (ex.getMessage().contains("Integer"))
         	{
                 return trackProgress(success().feedback("vulnerable-components.success").build());
         	}
             return trackProgress(failed().feedback("vulnerable-components.close").build());
-
        }
 
 

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc

@@ -1,7 +1,7 @@
 
 == 2013 OWASP Top 10 - A9
 
-As early as 2013, thought leaders like OWASP have recognized that "WE" need to pay attention to this problem.
+As early as 2013, thought leaders like OWASP recognized that "WE" need to pay attention to this problem.
 
 
 image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="2013 OWASP - Top 10 - A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc

@@ -1,5 +1,5 @@
 == The exploit is not always in "your" code
-Below is an example of using the same source and different versions of jquery-ui. One is exploitable; one is not.
+Below is an example of using the same WebGoat source code, but different versions of the jquery-ui component. One is exploitable; one is not.
 
 === jquery-ui:1.10.4
 This example allows the user to specify the content of the "closeText" for the jquery-ui dialog. This is an unlikely development scenario, however the jquery-ui dialog (TBD - show exploit link) does not defend against XSS in the button text of the close dialog.

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc

@@ -1,6 +1,6 @@
 == How do I generate a Bill of Materials
 
-There are several open source and paid-for solutions that will identify risk in components.  There are not many tools that will deliver a complete list of "ingredients" used within an application.  OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk.
+There are several open source and paid-for solutions that will identify risk in components.  However, there are not many tools that will deliver a complete list of "ingredients" used within an application.  OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk.
 
 Dependency check uses several pieces of evidence to determine the library names.  Below is a snippet of a report:
 

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc

@@ -2,19 +2,24 @@
 
 === What's important?
 
-* Is it old or is it stable
-* Was my lack of upgrade a deliberate choice or a lack of knowledge
-* Is the project I'm using no longer active
+* Is my component old or is it stable
 * Is my component unpopular
+* Was my lack of upgrade a deliberate choice or a lack of knowledge
 
 === Summary
 
-* It's really difficult to keep components up to dat
+* It's really difficult to keep components up to date
 
+====
 
 For the components analyzed in 25,000 applications it was found that:
 
 *  8% of  2 year old components did not have a newer version
 * 23% of 11 year old components did not have a newer version
+* Older components make up the majority of the risk
 
-image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
+[cols="2a,2a"]
+|===
+| image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
+| image::plugin_lessons/plugin/VulnerableComponents/images/Risk-of-Old-Components.png[caption="Figure: ", title="Risk of Old Components", alt="Risk of Old Components", width="355", height="304", style="lesson-image"]
+|===

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc

@@ -6,8 +6,10 @@ In November of 2015, the Apache Commons Collections component latest release was
 Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit]
 
 
-=== Dinis Cruz and pwntester exploit of XStream
-XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]  
+=== Dinis Cruz and Alvaro Munoz exploit of XStream
+XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. +
+Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] +
+https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]  
 
 You may want to read the article(s) before trying this lesson.  Let's see if you can figure out how to exploit this in WebGoat.
 

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc

@@ -11,4 +11,4 @@ WebGoat Sends an XML document to add contacts to a contacts database.
 </contact>  
 ----
 
-For this example, we will let you enter the xml directly versus intercepting the request and modifying the data.  You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml).
+For this example, we will let you enter the xml directly versus intercepting the request and modifying the data.  You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc

@@ -8,7 +8,7 @@
 * *Open source components are the new attack vector.*
 
 == What to do
-* Generate a bill of materials.
+* Generate an OSS Bill of Materials.
 ** Use http://lmgtfy.com/?q=OSS+bill+of+materials[automated tooling]
 * Baseline open source consumption in your organization.
 * Develop an open source component risk management strategy to mitigate current risk and reduce future risk.

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc

@@ -4,12 +4,14 @@
 
 The way we build software has changed.  The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref:  https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain]
 
-image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="800", height="400", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"]
+This lesson will walk through the difficulties with managing dependent libraries, the risk of not managing those dependencies, and the difficulty in determining if you are at risk.
 
+image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="500", height="300", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"]
 
-This lesson will walk through the difficulties with managing dependent libraries, the risk of not managing those dependencies, and the difficulty in determining if you are at risk.
 
 == Goals
 
 * Gain awareness that the open source consumed is as important as your own custom code.
 * Gain awareness of the management, or lack of management, in our open source component consumption. 
+* Understand the importance of a Bill of Materials in determining open source component risk
+