From 368c0467791d188db2ba15a130e99824565c4ac9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Fri, 25 Aug 2023 20:37:56 +0200
Subject: [PATCH] fix: Stored Cross-Site Scripting Lesson

---
 .../org/owasp/webgoat/lessons/xss/CrossSiteScripting.java   | 2 +-
 .../lessons/xss/stored/CrossSiteScriptingStored.java        | 4 +++-
 .../xss/stored/StoredCrossSiteScriptingVerifier.java        | 6 ------
 .../owasp/webgoat/lessons/xss/stored/StoredXssComments.java | 2 --
 .../lessons/xss/html/CrossSiteScriptingStored.html          | 2 +-
 .../resources/lessons/xss/i18n/WebGoatLabels.properties     | 5 +++--
 src/main/resources/lessons/xss/js/stored-xss.js             | 4 ++--
 7 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
index 9068e030f..5c614cb9e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
@@ -35,6 +35,6 @@ public class CrossSiteScripting extends Lesson {
 
   @Override
   public String getTitle() {
-    return "xss.title";
+    return "4.xss.title";
   }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
index a9eeb0fff..3238d2f99 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
@@ -24,7 +24,9 @@ package org.owasp.webgoat.lessons.xss.stored;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
+import org.springframework.stereotype.Component;
 
+@Component
 public class CrossSiteScriptingStored extends Lesson {
   @Override
   public Category getDefaultCategory() {
@@ -33,6 +35,6 @@ public class CrossSiteScriptingStored extends Lesson {
 
   @Override
   public String getTitle() {
-    return "xss-stored.title";
+    return "5.xss-stored.title";
   }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
index 0a4e89ed0..1b5d9f96f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
@@ -34,7 +34,6 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
 
-  // TODO This assignment seems not to be in use in the UI
   @PostMapping("/CrossSiteScriptingStored/stored-xss-follow-up")
   @ResponseBody
   public AttackResult completed(@RequestParam String successMessage) {
@@ -47,8 +46,3 @@ public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
     }
   }
 }
-
-// something like ...
-// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
-// or
-// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
index a501edeb1..196e2e3e1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
@@ -72,7 +72,6 @@ public class StoredXssComments extends AssignmentEndpoint {
             "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
   }
 
-  // TODO This assignment seems not to be in use in the UI
   @GetMapping(
       path = "/CrossSiteScriptingStored/stored-xss",
       produces = MediaType.APPLICATION_JSON_VALUE,
@@ -89,7 +88,6 @@ public class StoredXssComments extends AssignmentEndpoint {
     return allComments;
   }
 
-  // TODO This assignment seems not to be in use in the UI
   @PostMapping("/CrossSiteScriptingStored/stored-xss")
   @ResponseBody
   public AttackResult createNewComment(@RequestBody String commentStr) {
diff --git a/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
index 439dd73dc..7be92ffd6 100644
--- a/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
@@ -67,7 +67,7 @@
 
 		<form class="attack-form" accept-charset="UNKNOWN"
 			  method="POST" name="DOMFollowUp"
-			  action="/WebGoat/CrossSiteScripting/stored-xss-follow-up">
+			  action="/WebGoat/CrossSiteScriptingStored/stored-xss-follow-up">
 			<input name="successMessage" value="" type="TEXT" />
 			<input name="submitMessage" value="Submit" type="SUBMIT"/>
 		</form>
diff --git a/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties b/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
index 81b40e219..b0eca9483 100644
--- a/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
+++ b/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
@@ -1,7 +1,8 @@
 # XSS success, failure messages and hints
-xss.title=Cross Site Scripting
-xss-stored.title=Cross Site Scripting (stored)
+4.xss.title=Cross Site Scripting
+5.xss-stored.title=Cross Site Scripting (stored)
 xss-mitigation.title=Cross Site Scripting (mitigation)
+
 xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
 xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.
 xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
diff --git a/src/main/resources/lessons/xss/js/stored-xss.js b/src/main/resources/lessons/xss/js/stored-xss.js
index 57cc3dc55..ad8a2b805 100644
--- a/src/main/resources/lessons/xss/js/stored-xss.js
+++ b/src/main/resources/lessons/xss/js/stored-xss.js
@@ -3,7 +3,7 @@ $(document).ready(function () {
         var commentInput = $("#commentInput").val();
         $.ajax({
             type: 'POST',
-            url: 'CrossSiteScripting/stored-xss',
+            url: '/WebGoat/CrossSiteScriptingStored/stored-xss',
             data: JSON.stringify({text: commentInput}),
             contentType: "application/json",
             dataType: 'json'
@@ -32,7 +32,7 @@ $(document).ready(function () {
 
     function getChallenges() {
         $("#list").empty();
-        $.get('CrossSiteScripting/stored-xss', function (result, status) {
+        $.get('/WebGoat/CrossSiteScriptingStored/stored-xss', function (result, status) {
             for (var i = 0; i < result.length; i++) {
                 var comment = html.replace('USER', result[i].user);
                 comment = comment.replace('DATETIME', result[i].dateTime);