- Added new challenges

- Added new webapplication called WebWolf to make attacks more realistic
- Added WebWolf lesson to explain the concepts behind this new application

webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html

@@ -0,0 +1,99 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Uploading_files.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
+    <div class="attack-container">
+        <form accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/WebWolf/send"
+              enctype="application/json;charset=UTF-8">
+            <div class="container-fluid">
+                <div class="row">
+                    <div class="col-md-4">
+                        <div class="form-group input-group">
+          <span class="input-group-addon">
+            @
+          </span>
+                            <input class="form-control" placeholder="test1233@webgoat.org" name="email" type="email"
+                                   required=""/>
+                        </div>
+                        <button type="submit" class="btn btn-primary btn-block" id="btn-login">
+                            Send e-mail
+                        </button>
+                    </div>
+                </div>
+            </div>
+        </form>
+        <br/>
+        <br/>
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/WebWolf/mail/"
+              enctype="application/json;charset=UTF-8">
+            <div class="container-fluid">
+                <div class="row">
+                    <div class="col-md-4">
+                        <div class="input-group">
+                            <input type="text" class="form-control"
+                                   placeholder="Type in your unique code"
+                                   name='uniqueCode'/>
+                            <div class="input-group-btn">
+                                <button class="btn btn-primary" type="submit">Go</button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </form>
+        <br/>
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Landing_page.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a>
+
+        <br/>
+        <br/>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/WebWolf/landing/"
+              enctype="application/json;charset=UTF-8">
+            <div class="container-fluid">
+                <div class="row">
+                    <div class="col-md-4">
+                        <div class="input-group">
+                            <input type="text" class="form-control"
+                                   placeholder="Type in your unique code"
+                                   name='uniqueCode'/>
+                            <div class="input-group-btn">
+                                <button class="btn btn-primary" type="submit">Go</button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </form>
+        <br/>
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
+</html>

webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties

@@ -0,0 +1,9 @@
+webwolf.title=WebWolf
+
+webwolf.email_send=An email has been send to {0} please check your inbox.
+webwolf.code_incorrect=That is not the correct code: {0}, please try again.
+
+
+webwolf.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username.
+
+webwolf.landing_wrong=This is the wrong code, try to look for the uniqueCode in the parameters in WebWolf.

webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Introduction.adoc

@@ -0,0 +1,21 @@
+== Introducing WebWolf
+
+WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
+make a clear distinction between what takes place on the attacked website and the actions you need to do as
+an "attacker". WebWolf was introduced after a couple of workshops where we received feedback about the fact there
+was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the
+website. The following items are supported in WebWolf:
+
+* Hosting a file
+* Receiving email
+* Landing page for incoming requests
+
+WebWolf runs as a separate web application and is started automatically when using the Docker image. If you
+are not using the Docker image you will need to download the jar file and start it:
+
+```
+java -jar webwolf-<<version>>.jar
+```
+
+This will start the application on port 8081, in your browser type: `http://localhost:8081/WebWolf`
+You will be redirected to the login page where you need to login with your WebGoat username and password

webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Landing_page.adoc

@@ -0,0 +1,25 @@
+== Landing page
+
+This page will show all the requests made to '/' or '/challenge'. This means
+you can use WebWolf as your landing page for harvesting cookies etc which
+is helpful when you perform a XSS lesson.
+
+image::images/requests.png[caption="Figure: ", style="lesson-image"]
+
+{nbsp}
+{nbsp}
+{nbsp}
+
+*For this exercise you need to login to WebWolf first.*
+
+{nbsp}
+{nbsp}
+
+Suppose we tricked a user to click on a link he/she received in an email, this link will open up our crafted
+password reset link page. The user does not see any difference with the normal password reset page of the company.
+The user enters a new password and hits enter, the new password will be send to your host. In this case the new
+password will be send to WebWolf. Try to locate the unique code.
+
+Please be aware after resetting the password the user will receive an error page in a real attack scenario the
+user would probably see a normal success page (this is due to a limit what we can control with WebWolf)
+

webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Receiving_mail.adoc

@@ -0,0 +1,18 @@
+== Your own mailbox
+
+WebWolf offers a mail client which will contain the e-mail send during a lesson.
+This mailbox is user specific so each user has a separate mailbox. All e-mail
+send to {user}@.... wil end up in this inbox.
+
+{nbsp}
+{nbsp}
+{nbsp}
+
+image::images/mailbox.png[caption="Figure: ", style="lesson-image"]
+
+{nbsp}
+{nbsp}
+{nbsp}
+
+Try it, type in your e-mail address below and check in
+WebWolf your e-mail and type in the unique code below.

webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Uploading_files.adoc

@@ -0,0 +1,12 @@
+== Uploading files
+
+In this section you can upload files these files will be available from outside
+the application. For example in a XXE attack you want to reference a DTD which you
+reference from a xml, you can use WebWolf to serve this DTD.
+
+image::images/files.png[caption="Figure: ", style="lesson-image"]
+
+{nbsp}
+
+After uploading a file you can use the 'Link' to get the full URL to the uploaded
+file.

webgoat-lessons/webwolf-introduction/src/main/resources/templates/webwolfPasswordReset.html

@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
+</head>
+
+<body>
+<div class="container">
+    <div class="row">
+        <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
+            <form role="form" method="POST" th:action="${webwolfUrl}">
+                <h2 class="sign_up_title">Reset your password</h2>
+                <input type="hidden" name="uniqueCode" th:value="${uniqueCode}"/>
+                <div class="form-group">
+                    <label for="password" class="control-label">Password</label>
+                    <input type="password" class="form-control" id="password" placeholder="Password"
+                           name='password'/>
+                </div>
+                <div class="row">
+                    <div class="col-xs-12 col-md-12">
+                        <button type="submit" class="btn btn-success btn-block btn-lg">Save</button>
+                    </div>
+                </div>
+                <div>
+                    <a href="https://github.com/WebGoat">(c) 2017 WebGoat Company</a>
+                </div>
+            </form>
+        </div>
+    </div>
+</div>
+</body>
+
+</html>