Merge pull request #47 from g0tmi1k/v1.9

DVWA v1.9

CHANGELOG.md

@@ -4,30 +4,36 @@ DAMN VULNERABLE WEB APPLICATION
 v1.9 (*Not Yet Released*)
 ======
 
-+ Added CSRF token to pre-auth forms (login/setup/security pages). (g0tmi1k + Shinkurt)
-+ Added HTTPOnly cookie flag on impossible levels. (g0tmi1k)
-+ Added PDO for the impossible examples in SQLi & SQLi Blind. (g0tmi1k)
-+ Added system check to setup. (g0tmi1k)
-+ Changed brute force medium to be harder due to sleep. (g0tmi1k)
-+ Changed file include landing page + added 3x example pages. (g0tmi1k)
-+ Changed file include medium to be harder due to more filters. (g0tmi1k)
-+ Changed HTTP REFERER check for medium level CSRF. (g0tmi1k)
-+ Changed input box for medium level with SQLi + SQLi Blind. (g0tmi1k)
-+ Changed SQLi + SQLi Blind to be $_POST rather than $_GET. (g0tmi1k)
-+ Changed SQLi Blind to be a real example of the vulnerability. (g0tmi1k)
-+ Fixed brute force and file upload impossible levels, as they were vulnerable. (g0tmi1k + Shinkurt)
-+ Fixed bug with file fnclude page not loading. (g0tmi1k)
-+ Fixed CAPTCHA bug to read URL parameters on impossible. (g0tmi1k)
-+ Fixed CAPTCHA bug where the form wouldn't be visible. (g0tmi1k)
-+ Fixed CAPTCHA bug where the URL parameters were not being used for low + medium. (g0tmi1k)
-+ Fixed CSRF medium level bug when not on localhost. (g0tmi1k)
-+ Fixed setup bug with custom URL path. (g0tmi1k)
-+ Removed PostgreSQL DB support. (g0tmi1k)
-+ Renamed 'Command Execution' to 'Command Injection'. (g0tmi1k)
-+ Renamed 'high' level to 'impossible' and created new vectors for 'high'. (g0tmi1k)
-+ Updated README and documentation. (g0tmi1k)
-+ Various code cleanups in the core PHP files+CSS & Verbosed the documentation. (g0tmi1k)
-+ Various setup improvements (e.g. redirection + limited menu links). (g0tmi1k)
++ Added a dedicated objective (or "flag") for file include. (@g0tmi1k)
++ Added a warning to any module that requires a certain configuration. (@g0tmi1k)
++ Added comments to all source code that would be visible via DVWA modules. (@g0tmi1k)
++ Added CSRF token to pre-auth forms (login/setup/security pages). (@g0tmi1k + @Shinkurt)
++ Added HttpOnly cookie flag on impossible levels. (@g0tmi1k)
++ Added more detail to the documentation. (@g0tmi1k)
++ Added PDO to all impossible levels requiring MySQL. (@g0tmi1k)
++ Added PHPIDS options into the config file. (@g0tmi1k)
++ Added system check to setup. (@g0tmi1k)
++ Added various information to all help pages for every module. (@g0tmi1k)
++ Changed brute force medium to be harder due to sleep. (@g0tmi1k)
++ Changed file include landing page + added 3x example pages. (@g0tmi1k)
++ Changed file include medium to be harder due to more filters. (@g0tmi1k)
++ Changed HTTP REFERER check for medium level CSRF. (@g0tmi1k)
++ Changed input box for medium level with SQLi + SQLi Blind. (@g0tmi1k)
++ Changed SQLi + SQLi Blind to be $_POST rather than $_GET. (@g0tmi1k)
++ Changed SQLi Blind to be a real example of the vulnerability. (@g0tmi1k)
++ Fixed brute force and file upload impossible levels, as they were vulnerable. (@g0tmi1k + @Shinkurt)
++ Fixed bug with file fnclude page not loading. (@g0tmi1k)
++ Fixed CAPTCHA bug to read URL parameters on impossible. (@g0tmi1k)
++ Fixed CAPTCHA bug where the form wouldn't be visible. (@g0tmi1k)
++ Fixed CAPTCHA bug where the URL parameters were not being used for low + medium. (@g0tmi1k)
++ Fixed CSRF medium level bug when not on localhost. (@g0tmi1k)
++ Fixed setup bug with custom URL path. (@g0tmi1k)
++ Removed PostgreSQL DB support. (@g0tmi1k)
++ Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k)
++ Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k)
++ Updated README and documentation. (@g0tmi1k)
++ Various code cleanups in the core PHP files+CSS. (@g0tmi1k)
++ Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k)
 
 v1.8 (2013-05-01)
 ======
@@ -40,42 +46,42 @@ v1.8 (2013-05-01)
 v1.0.7 (2010-09-08)
 ======
 
-+ Re-designed the login page + made some other slight cosmetic changes. 06/06/2010 (ethicalhack3r)
-+ Started PostgreSQL implementation. 15/03/2010 (ethicalhack3r)
-+ A few small cosmetic changes. 15/03/2010 (ethicalhack3r)
-+ Improved the help information and look. 15/03/2010 (ethicalhack3r)
-+ Fixed a few bugs thanks to Digininja. 15/03/2010 (ethicalhack3r)
++ Re-designed the login page + made some other slight cosmetic changes. 06/06/2010 (@ethicalhack3r)
++ Started PostgreSQL implementation. 15/03/2010 (@ethicalhack3r)
++ A few small cosmetic changes. 15/03/2010 (@ethicalhack3r)
++ Improved the help information and look. 15/03/2010 (@ethicalhack3r)
++ Fixed a few bugs thanks to @Digininja. 15/03/2010 (@ethicalhack3r)
 + Show logged in username. 05/02/2010 (Jason Jones)
-+ Added new info on RandomStorm. 04/02/2010 (ethicalhack3r)
-+ Added 'SQL Injection (Blind)'. 04/02/2010 (ethicalhack3r)
-+ Added official documentation. 21/11/2009 (ethicalhack3r)
-+ Implemented view all source functionality. 16/10/2009 (tmacuk, craig, ethicalhack3r)
++ Added new info on RandomStorm. 04/02/2010 (@ethicalhack3r)
++ Added 'SQL Injection (Blind)'. 04/02/2010 (@ethicalhack3r)
++ Added official documentation. 21/11/2009 (@ethicalhack3r)
++ Implemented view all source functionality. 16/10/2009 (tmacuk, craig, @ethicalhack3r)
 
 v1.0.6 (2009-10-05)
 ======
 
-+ Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
-+ Removed 'current password' input box for low+med CSRF security. 03/09/2009 (ethicalhack3r)
-+ Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r)
-+ Added more toubleshooting information. 02/10/2009 (ethicalhack3r)
-+ Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r)
-+ Fixed a 'bug' in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r)
-+ Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r)
-+ Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r)
-+ Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r)
-+ Added the upload directory to the upload help. 17/09/09 (ethicalhack3r)
++ Fixed a bug where the logo would not show on first time use. 03/09/2009 (@ethicalhack3r)
++ Removed 'current password' input box for low+med CSRF security. 03/09/2009 (@ethicalhack3r)
++ Added an article which was written for OWASP Turkey. 03/10/2009 (@ethicalhack3r)
++ Added more toubleshooting information. 02/10/2009 (@ethicalhack3r)
++ Stored XSS high now sanitises output. 02/10/2009 (@ethicalhack3r)
++ Fixed a 'bug' in XSS stored low which made it not vulnerable. 02/10/2009 (@ethicalhack3r)
++ Rewritten command execution high to use a whitelist. 30/09/09 (@ethicalhack3r)
++ Fixed a command execution vulnerability in exec high. 17/09/09 (@ethicalhack3r)
++ Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (@ethicalhack3r)
++ Added the upload directory to the upload help. 17/09/09 (@ethicalhack3r)
 
 v1.0.5 (2009-09-03)
 ======
 
-+ Made IE friendly as much as possible. 30/08/2009 (ethicalhack3r)
-+ Removed the acunetix scan report. 30/08/2009 (ethicalhack3r)
-+ Added 'Clear Log' button to PHPIDS parser. 27/08/2009 (ethicalhack3r)
-+ Implemented PHPIDS log parser. 27/08/2009 (ethicalhack3r)
-+ Implemented Stored XSS vulnerability. 27/08/2009 (ethicalhack3r)
-+ Added htaccess rule for localhost access only. 22/08/2009 (ethicalhack3r)
-+ Added CSRF. 01/08/2009 (ethicalhack3r)
-+ Implemented sessions/login. 01/08/2009 (ethicalhack3r)
++ Made IE friendly as much as possible. 30/08/2009 (@ethicalhack3r)
++ Removed the acunetix scan report. 30/08/2009 (@ethicalhack3r)
++ Added 'Clear Log' button to PHPIDS parser. 27/08/2009 (@ethicalhack3r)
++ Implemented PHPIDS log parser. 27/08/2009 (@ethicalhack3r)
++ Implemented Stored XSS vulnerability. 27/08/2009 (@ethicalhack3r)
++ Added htaccess rule for localhost access only. 22/08/2009 (@ethicalhack3r)
++ Added CSRF. 01/08/2009 (@ethicalhack3r)
++ Implemented sessions/login. 01/08/2009 (@ethicalhack3r)
 + Complete recode. (jamesr)
 + Complete redesign. (jamesr)
 + Delimited 'dvwa' in session- minimising the risk of clash with other projects running on localhost. 01/08/2009 (jamesr)

README.md

@@ -42,9 +42,9 @@ along with Damn Vulnerable Web Application (DVWA).  If not, see http://www.gnu.o
 
 DVWA is available either as a package that will run on your own web server or as a Live CD:
 
-  + DVWA v1.9 (Testing) - (1.3 MB) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) - `git clone https://github.com/RandomStorm/DVWA`
-  + DVWA v1.8 (Stable) - (1.3 MB) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.0.8.zip)
-  + DVWA v1.0.7 LiveCD - (480 MB) [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso)
+  + DVWA v1.9 Source (Testing) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA`
+  + DVWA v1.8 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.0.8.zip) - Released 2013-05-01
+  + DVWA v1.0.7 LiveCD - \[480 MB\] [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) - Released 2010-09-08
 
 - - -
 
@@ -90,22 +90,22 @@ $_DVWA[ 'db_database' ] = 'dvwa';
 Depening on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
 Note, You are unable to use PHP v7.0 or later with DVWA.
 
-**Folders Permissions**:
+**Folder Permissions**:
 
 * `./hackable/uploads/` - Needs to be writable by the web service (for File Upload).
-* `./external/phpids/0.6/lib/IDS/tmp/` - Needs to be writable by the web service (if you wish to use PHPIDS).
+* `./external/phpids/0.6/lib/IDS/tmp/phpids_log.txt` - Needs to be writable by the web service (if you wish to use PHPIDS).
 
-**PHP**:
+**PHP configuration**:
 
 * `allow_url_include = on` - Allows for Remote File Inclusions (RFI)   [[allow_url_include](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include)]
 * `allow_url_fopen = on` -  Allows for Remote File Inclusions (RFI)    [[allow_url_fopen](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen)]
 * `safe_mode = off` - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [[safe_mode](https://secure.php.net/manual/en/features.safe-mode.php)]
 * `magic_quotes_gpc = off` - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [[magic_quotes_gpc](https://secure.php.net/manual/en/security.magicquotes.php)]
 * `display_errors = off` - (Optional) Hides PHP warning messages to make it less verbose [[display_errors](https://secure.php.net/manual/en/errorfunc.configuration.php#ini.display-errors)]
 
-**`config/config.inc.php`**:
+**File: `config/config.inc.php`**:
 
-* `$_DVWA[ 'recaptcha_public_key' ]` & `$_DVWA[ 'recaptcha_private_key' ]` - Need to be generated from: https://www.google.com/recaptcha/admin/create
+* `$_DVWA[ 'recaptcha_public_key' ]` & `$_DVWA[ 'recaptcha_private_key' ]` - These values need to be generated from: https://www.google.com/recaptcha/admin/create
 
 ### Default Credentials
 
@@ -122,9 +122,9 @@ Login URL: http://127.0.0.1/dvwa/login.php
 For the latest troubleshooting information please visit:
 https://github.com/RandomStorm/DVWA/issues
 
-+Q. SQL Injection wont work on PHP version 5.2.6.
++Q. SQL Injection wont work on PHP v5.2.6.
 
--A.If you are using PHP version 5.2.6 you will need to do the following in order for SQL injection and other vulnerabilities to work.
+-A.If you are using PHP v5.2.6 you will need to do the following in order for SQL injection and other vulnerabilities to work.
 
 In `.htaccess`:
 
@@ -154,7 +154,7 @@ With:
 
 +Q. My XSS payload won't run in IE.
 
--A. If your running IE8 or above IE actively filters any XSS. To disable the filter you can do so by setting the HTTP header `X-XSS-Protection: 0` or disable it from internet options. There may also be ways to bypass the filter.
+-A. If your running IE8 or above, IE actively filters any XSS. To disable the filter you can do so by setting the HTTP header `X-XSS-Protection: 0` or disable it from internet options. There may also be ways to bypass the filter.
 
 - - -
 

about.php

@@ -1,59 +1,58 @@
 <?php
 
 define( 'DVWA_WEB_PAGE_TO_ROOT', '' );
-require_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/dvwaPage.inc.php';
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
 
 dvwaPageStartup( array( 'phpids' ) );
 
 $page = dvwaPageNewGrab();
-$page[ 'title' ]   = 'About'.$page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'title' ]   = 'About' . $page[ 'title_separator' ].$page[ 'title' ];
 $page[ 'page_id' ] = 'about';
 
 $page[ 'body' ] .= "
 <div class=\"body_padded\">
 	<h1>About</h1>
-	<p>Version ".dvwaVersionGet()." (Release date: ".dvwaReleaseDateGet().")</p>
+	<p>Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")</p>
 	<p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment</p>
 	<p>The official documentation for DVWA can be found <a href=\"docs/DVWA_v1.3.pdf\">here</a>.</p>
 	<p>DVWA is a RandomStorm OpenSource project. All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.</p>
 
 	<h2>Links</h2>
 	<ul>
-		<li>Homepage: ".dvwaExternalLinkUrlGet( 'http://www.dvwa.co.uk/' )."</li>
-		<li>Project Home: ".dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA' )."</li>
-		<li>Bug Tracker: ".dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA/issues' )."</li>
-		<li>Souce Control: ".dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA/commits/master' )."</li>
-		<li>Wiki: ".dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA/wiki' )."</li>
+		<li>Homepage: " . dvwaExternalLinkUrlGet( 'http://www.dvwa.co.uk/' ) . "</li>
+		<li>Project Home: " . dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA' ) . "</li>
+		<li>Bug Tracker: " . dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA/issues' ) . "</li>
+		<li>Souce Control: " . dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA/commits/master' ) . "</li>
+		<li>Wiki: " . dvwaExternalLinkUrlGet( 'https://github.com/RandomStorm/DVWA/wiki' ) . "</li>
 	</ul>
 
 	<h2>Credits</h2>
 	<ul>
-		<li>Craig: ".dvwaExternalLinkUrlGet( 'http://www.youreadmyblog.info/','www.youreadmyblog.info' )."</li>
-		<li>Jamesr: ".dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' )." / ".dvwaExternalLinkUrlGet( 'http://www.designnewcastle.co.uk/','www.designnewcastle.co.uk' )."</li>
-		<li>Ryan Dewhurst: ".dvwaExternalLinkUrlGet( 'http://www.ethicalhack3r.co.uk/','www.ethicalhack3r.co.uk' )."</li>
-		<li>Tedi Heriyanto: ".dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','http://tedi.heriyanto.net' )."</li>
-		<li>Tom Mackenzie: ".dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' )."</li>
-		<li>RandomStorm: ".dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' )."</li>
-		<li>Jason Jones: ".dvwaExternalLinkUrlGet( 'http://www.linux-ninja.com/','www.linux-ninja.com' )."</li>
-		<li>Brooks Garrett: ".dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' )."</li>
-		<li>g0tmi1k: ".dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' )."</li>
-		<li>Shinkurt: ".dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' )."</li>
+		<li>Craig: " . dvwaExternalLinkUrlGet( 'http://www.youreadmyblog.info/','www.youreadmyblog.info' ) . "</li>
+		<li>Jamesr: " . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . " / " . dvwaExternalLinkUrlGet( 'http://www.designnewcastle.co.uk/','www.designnewcastle.co.uk' ) . "</li>
+		<li>Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'http://www.ethicalhack3r.co.uk/','www.ethicalhack3r.co.uk' ) . "</li>
+		<li>Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','http://tedi.heriyanto.net' ) . "</li>
+		<li>Tom Mackenzie: " . dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' ) . "</li>
+		<li>RandomStorm: " . dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' ) . "</li>
+		<li>Jason Jones: " . dvwaExternalLinkUrlGet( 'http://www.linux-ninja.com/','www.linux-ninja.com' ) . "</li>
+		<li>Brooks Garrett: " . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . "</li>
+		<li>g0tmi1k: " . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . "</li>
+		<li>Shinkurt: " . dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' ) . "</li>
 	</ul>
 	<ul>
-		<li>PHPIDS - Copyright (c) 2007 ".dvwaExternalLinkUrlGet( 'http://github.com/PHPIDS/PHPIDS', 'PHPIDS group' )."</li>
+		<li>PHPIDS - Copyright (c) 2007 " . dvwaExternalLinkUrlGet( 'http://github.com/PHPIDS/PHPIDS', 'PHPIDS group' ) . "</li>
 	</ul>
 
 	<h2>License</h2>
 	<p>Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
 	the Free Software Foundation, either version 3 of the License, or
 	(at your option) any later version.</p>
-	<p>The PHPIDS library is included, in good faith, with this DVWA distribution. The operation of PHPIDS is provided without support from the DVWA team. It is licensed under <a href=\"".DVWA_WEB_PAGE_TO_ROOT."instructions.php?doc=PHPIDS-license\">separate terms</a> to the DVWA code.</p>
+	<p>The PHPIDS library is included, in good faith, with this DVWA distribution. The operation of PHPIDS is provided without support from the DVWA team. It is licensed under <a href=\"" . DVWA_WEB_PAGE_TO_ROOT . "instructions.php?doc=PHPIDS-license\">separate terms</a> to the DVWA code.</p>
 
 	<h2>Development</h2>
 	<p>Everyone is welcome to contribute and help make DVWA as successful as it can be. All contributors can have their name and link (if they wish) placed in the credits section. To contribute pick an Issue from the Project Home to work on or submit a patch to the Issues list.</p>
-</div>
-";
+</div>\n";
 
 dvwaHtmlEcho( $page );
 exit;

config/config.inc.php

@@ -17,17 +17,28 @@
 $_DVWA[ 'db_user' ]     = 'root';
 $_DVWA[ 'db_password' ] = 'p@ssw0rd';
 
-# Only used for PostgreSQL/PGSQL
+# Only used with PostgreSQL/PGSQL database selection.
 $_DVWA[ 'db_port '] = '5432';
 
 # ReCAPTCHA settings
-#   Get your keys at https://www.google.com/recaptcha/admin/create
+#   Used for the 'Insecure CAPTCHA' module
+#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create
 $_DVWA[ 'recaptcha_public_key' ]  = '';
 $_DVWA[ 'recaptcha_private_key' ] = '';
 
 # Default security level
-#   The default is impossible, you may wish to set this to either low, medium or high.
-#   If you specify an invalid level, DVWA will default to impossible.
+#   Default value for the secuirty level with each session.
+#   The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
 $_DVWA[ 'default_security_level' ] = 'impossible';
 
+# Default PHPIDS status
+#   PHPIDS status with each session.
+#   The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'.
+$_DVWA[ 'default_phpids_level' ] = 'disabled';
+
+# Verbose PHPIDS messages
+#   Enabling this will show why the WAF blocked the request on the blocked request.
+#   The default is 'disabled'. You can set this to be either 'true' or 'false'.
+$_DVWA[ 'default_phpids_verbose' ] = 'false';
+
 ?>

dvwa/css/help.css

@@ -8,15 +8,18 @@ h1 {
 	font-size: 25px;
 }
 
-
 div#container {
 }
 
-
 div#code {
 	background-color: #ffffff;
 }
 
 div#area {
 	margin-left: 30px;
 }
+
+span.spoiler {
+	background-color: black;
+	color: black;
+}