- Introduced user registration

- Now using Spring Boot for classloading, this way local development does not need to restart the complete server
- Fixed all kinds of dependencies on the names of the lessons necessary to keep in mind during the creation of a lesson.
- Simplied loading of resources, by adding resource mappings in MvcConfig.
- Refactored plugin loading, now only one class is left for loading the lessons.

webgoat-lessons/xxe/pom.xml

@@ -9,28 +9,11 @@
         <version>8.0-SNAPSHOT</version>
     </parent>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.asciidoctor</groupId>
-                <artifactId>asciidoctor-maven-plugin</artifactId>
-                <version>1.5.3</version>
-
-                <executions>
-                    <execution>
-                        <id>output-html</id>
-                        <phase>generate-resources</phase>
-                        <goals>
-                            <goal>process-asciidoc</goal>
-                        </goals>
-                        <configuration>
-                            <backend>html</backend>
-                            <sourceDirectory>src/main/resources/plugin/XXE/lessonPlans/en/</sourceDirectory>
-                        </configuration>
-                    </execution>
-
-                </executions>
-            </plugin>
-        </plugins>
-    </build>
+    <dependencies>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
+        </dependency>
+    </dependencies>
 </project>

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java

@@ -1,17 +1,23 @@
 package org.owasp.webgoat.plugin;
 
 import com.google.common.base.Joiner;
+import lombok.SneakyThrows;
 import org.apache.commons.lang.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
+import org.springframework.util.FileCopyUtils;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.annotation.PostConstruct;
 import java.io.File;
+import java.io.FileOutputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.util.List;
@@ -50,6 +56,20 @@ import static org.owasp.webgoat.plugin.SimpleXXE.parseXml;
 @AssignmentPath("XXE/blind")
 public class BlindSendFileAssignment extends AssignmentEndpoint {
 
+    @Value("${webgoat.user.directory}")
+    private String webGoatHomeDirectory;
+
+    @PostConstruct
+    @SneakyThrows
+    public void copyFile() {
+        ClassPathResource classPathResource = new ClassPathResource("secret.txt");
+        File targetDirectory = new File(webGoatHomeDirectory, "/XXE");
+        if (!targetDirectory.exists()) {
+            targetDirectory.mkdir();
+        }
+        FileCopyUtils.copy(classPathResource.getInputStream(), new FileOutputStream(new File(targetDirectory, "secret.txt")));
+    }
+
     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
     public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
@@ -60,7 +80,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
             error = ExceptionUtils.getFullStackTrace(e);
         }
 
-        File logFile = new File(getPluginDirectory(), "/XXE/log.txt");
+        File logFile = new File(webGoatHomeDirectory, "/XXE/log.txt");
         List<String> lines = Files.readAllLines(Paths.get(logFile.toURI()));
         boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
         logFile.delete();

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java

@@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
 
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.assignments.Endpoint;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -44,6 +45,9 @@ import java.io.PrintWriter;
 @Slf4j
 public class Ping extends Endpoint {
 
+    @Value("${webgoat.user.directory}")
+    private String webGoatHomeDirectory;
+
     @Override
     public String getPath() {
         return "XXE/ping";
@@ -54,13 +58,13 @@ public class Ping extends Endpoint {
     public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
         String logLine = String.format("%s %s %s", "GET", userAgent, text);
         log.debug(logLine);
-        File logFile = new File(getPluginDirectory(), "/XXE/log.txt");
+        File logFile = new File(webGoatHomeDirectory, "/XXE/log.txt");
         try {
             try (PrintWriter pw = new PrintWriter(logFile)) {
                 pw.println(logLine);
             }
         } catch (FileNotFoundException e) {
-            log.error("Error occured while writing the logfile", e);
+            log.error("Error occurred while writing the logfile", e);
         }
         return "";
     }

webgoat-lessons/xxe/src/main/resources/html/XXE.html

@@ -27,7 +27,7 @@
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
         <form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
               action="/WebGoat/XXE/simple" contentType="application/xml">
-            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
+            <script th:src="@{/lesson_js/xxe.js}"
                     language="JavaScript"></script>
             <div id="lessonContent">
                 <strong>Registration form</strong>
@@ -77,7 +77,7 @@
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
         <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
               action="/WebGoat/XXE/content-type" contentType="application/json">
-            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
+            <script th:src="@{/lesson_js/xxe.js}"
                     language="JavaScript"></script>
             <div id="lessonContent">
                 <strong>Registration form</strong>
@@ -135,13 +135,13 @@
         <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
         <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
-              action="/WebGoat/XXE/blind" contentType="application/json">
-            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
+        <form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
+              action="/WebGoat/XXE/blind" contentType="application/xml">
+            <script th:src="@{/lesson_js/xxe.js}"
                     language="JavaScript"></script>
             <div id="lessonContent">
                 <strong>Registration form</strong>
-                <form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
+                <form prepareData="register" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
                     <table>
                         <tr>
                             <td>Username</td>

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc

@@ -4,7 +4,7 @@ In some cases you will see no output because although your attack might have wor
 Or the resource you are trying to read contains illegal XML character which causes the parser to fail.
 Let's start with an example, in this case we reference a external DTD which we control on our own server.
 
-Our WebGoat server by default has an /xxe/ping endpoint which we can use. In real case this can be any server you control.
+Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server you control.*
 
 [source]
 ----

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc

@@ -1,7 +1,7 @@
 == Blind XXE assignment
 
 In the previous page we showed you how you can ping a server with a XXE attack, in this assigment try to make a DTD which will upload the
-contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/plugin/XXE/secret.txt`, for Windows
-this would be `c:/Users/USER/.webgoat/plugin/XXE/secret.txt`
+contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows
+this would be `c:/Users/USER/.webgoat/XXE/secret.txt`
 
 Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)