diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java index 7f6683f66..e88a26f0f 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java @@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin; import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; @@ -47,6 +48,7 @@ import java.io.IOException; * @created October 28, 2003 */ @AssignmentPath("/CrossSiteScripting/attack5a") +@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"}) public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { @Autowired diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties index 36e433c58..e3aecac2d 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties @@ -2,8 +2,12 @@ xss.title=Cross Site Scripting xss-stored.title=Cross Site Scripting (stored) xss-mitigation.title=Cross Site Scripting (mitigation) -xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue. -xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy) +xss-reflected-5a-success=Well done, but alerts aren't very impressive are they? Please continue. +xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy). +xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application. +xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right? +xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted? +xss-reflected-5a-hint-4=Just try purchasing something. You want your script to be included in the purchase-confirmation. xss-reflected-5b-success=Correct ... because xss-reflected-5b-failure=Nope, pretty easy to guess now though. xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.