Added a lesson for the CIA-Triad in the general category explaining t…

…he three elements of the triad.
guoqingz · Mar 26, 2019 · d2a2716 · d2a2716
1 parent 0529289
commit d2a2716
Show file tree

Hide file tree

Showing 10 changed files with 152 additions and 0 deletions.
diff --git a/webgoat-lessons/cia/pom.xml b/webgoat-lessons/cia/pom.xml
@@ -0,0 +1,11 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cia</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>v8.0.0.SNAPSHOT</version>
+    </parent>
+</project>
diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIA.java b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIA.java
@@ -0,0 +1,39 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * @author BenediktStuhrmann
+ * @since 11/2/18.
+ */
+public class CIA extends NewLesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.GENERAL;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 3;
+    }
+
+    @Override
+    public String getTitle() {
+        return "cia.title";
+    }
+
+    @Override
+    public String getId() {
+        return "CIA";
+    }
+}
diff --git a/webgoat-lessons/cia/src/main/resources/html/CIA.html b/webgoat-lessons/cia/src/main/resources/html/CIA.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CIA_intro.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CIA_confidentiality.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CIA_integrity.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CIA_availability.adoc"></div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/cia/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cia/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1 @@
+cia.title=CIA Triad
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc
@@ -0,0 +1,22 @@
+== Availability
+
+Confidentiality is "the property of being accessible and usable on demand by an authorized entity." In other words all the information should be available and accessible for authorized persons whenever it is needed.
+
+{nbsp} +
+
+=== Examples that compromise availability:
+
+** denial-of-service attacks (Dos)
+** server crashes
+** even fire or natural disasters
+
+{nbsp} +
+
+=== Examples of methods ensuring availability
+
+** intrusion detection systems
+** network traffic control
+** firewalls
+** physically and geographically isolated location
+*** fire- and waterproof
+** hardware maintenance
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc
@@ -0,0 +1,25 @@
+== Confidentiality
+
+Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality means to prevent sensitive information from reaching the wrong people, that should not get access to it, while at the same time making sure, that people that are allowed to access it, can get it.
+
+While being similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers.
+
+{nbsp} +
+
+=== Examples that compromise confidentiality:
+
+** a hacker gets access to the password database of a company
+** sensitive emails being sent to incorrect individuals
+** a hacker reads sensitive information by intercepting and eavesdropping an information transfer
+
+{nbsp} +
+
+=== Examples of methods ensuring confidentiality
+
+** data encryption
+** authentication methods
+*** passwords
+*** two-factor authentication
+*** biometric verification
+** minimizing the number of places/times the information appears
+** physical security measurements like protected server rooms etc.
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc
@@ -0,0 +1,20 @@
+== Integrity
+
+Integrity is "the property of accuracy and completeness." In other words, integrity means to maintain the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and it must be ensured, that data can not be altered by unauthorized people (per example in a breach of confidentiality).
+
+{nbsp} +
+
+=== Examples that compromise integrity:
+
+** human error when entering data
+** errors during data transmission
+** software bugs, hardware failures
+** hackers change information that they should not have access to
+
+{nbsp} +
+
+=== Examples of methods ensuring integrity
+
+** well functioning authentication methods and access control
+** checking integrity with hash functions
+** backups, redundancy
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc
@@ -0,0 +1,7 @@
+== The CIA Triad
+
+The CIA Triad (confidentiality, integrity, availability) is a model for information security.
+The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. +
+If only one of those three elements can be breached it can have serious consequences for the parties concerned.
+
+The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system or/and organization.
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
@@ -20,6 +20,7 @@
         <module>cross-site-scripting</module>
         <module>html-tampering</module>
         <module>http-basics</module>
+        <module>cia</module>
         <module>http-proxies</module>
         <module>insecure-login</module>
         <module>insecure-deserialization</module>

diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
@@ -130,6 +130,11 @@
             <artifactId>http-proxies</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>cia</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.owasp.webgoat.lesson</groupId>
             <artifactId>idor</artifactId>