Merge branch 'release/v8.0.0.M18'

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java

@@ -64,11 +64,11 @@ public class CSRFFeedback extends AssignmentEndpoint {
 
     private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
         String referer = request.getHeader("referer");
-        String origin = request.getHeader("origin");
+        String host = request.getHeader("host");
         if (referer != null) {
-            return !referer.contains(origin);
+            return !referer.contains(host);
         } else {
-            return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false
+            return true;
         }
     }
 

webgoat-lessons/csrf/src/main/resources/html/CSRF.html

@@ -20,7 +20,7 @@
           action="/WebGoat/csrf/basic-get-flag"
           enctype="application/json;charset=UTF-8">
         <input name="csrf" type="hidden" value="false"/>
-        <input type="submit" name="ubmit="/>
+        <input type="submit" name="submit"/>
 
     </form>
 

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc

@@ -16,9 +16,11 @@ the activities of the user.
 image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"]
 
 {blank}
-For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper]
+For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper].
 
-In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. First create a user 
-based on your own username prefixed with csrf. So if your username is `tom` you must create
-a new user called `csrf-tom`
+In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack.
+Leave this tab open and in another tab create a user based on your own username prefixed with `csrf-`.
+So if your username is `tom` you must create a new user called `csrf-tom`.
 
+Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab.
+Because you are logged in as a different user, the attacker learns that you clicked the button.

webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java

@@ -46,7 +46,7 @@ public class CSRFFeedbackTest extends LessonTest {
         mockMvc.perform(post("/csrf/feedback/message")
                 .contentType(MediaType.TEXT_PLAIN)
                 .cookie(new Cookie("JSESSIONID", "test"))
-                .header("origin", "localhost:8080")
+                .header("host", "localhost:8080")
                 .header("referer", "webgoat.org")
                 .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
                 .andExpect(jsonPath("lessonCompleted", is(true)))